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Abstract 


The  U.S.  Congress  has  mandated  that  all  aircraft  operating  within  the  National 
Airspace  System,  military  or  civilian,  be  equipped  with  Automatic  Dependent 
Surveillance-Broadcast  (ADS-B)  transponders  by  the  year  2020.  The  ADS-B  aircraft 
tracking  system,  part  of  the  Federal  Aviation  Administration’s  NextGen  overhaul 
of  the  Air  Transportation  System,  replaces  Radar-based  surveillance  with  a  more 
accurate  satellite-based  surveillance  system.  However,  the  unencrypted  nature  of  ADS- 
B  communication  poses  an  operational  security  risk  to  military  and  law  enforcement 
aircraft  conducting  sensitive  missions.  The  non-standard  format  of  its  message  and 
the  legacy  communication  channels  used  by  its  transponders  make  the  ADS-B  system 
unsuitable  for  traditional  encryption  mechanisms.  Format-Preserving  Encryption 
(FPE),  a  recent  development  in  cryptography,  provides  the  ability  to  encrypt  arbitrarily 
formatted  data  without  padding  or  truncation.  Indeed,  three  new  algorithms  recommended 
by  the  National  Institute  of  Standards  and  Technology  (NIST),  may  be  suitable  for 
encryption  of  ADS-B  messages.  This  research  assesses  the  security  and  hardware 
performance  characteristics  of  the  FFl,  FF2,  and  FF3  algorithms,  in  terms  of  entropy  of 
ciphertext,  operational  latency  and  resource  utilization  when  implemented  on  a  Field- 
Programmable  Gate  Array.  While  all  of  the  algorithms  inherit  the  security  characteristics 
of  the  underlying  Advanced  Encryption  Standard  (AES)  block  cipher,  they  exhibit 
differences  in  their  performance  profiles.  Findings  demonstrate  that  a  Bump-in-the-Wire 
FPE  cryptographic  engine  is  a  suitable  solution  for  retrofitting  encryption  to  ADS-B 
communication. 
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EEDERAE  AVIATION  ADMINISTRATION’S  NEXT  GENERATION  AIR 
TRANSPORTATION  SYSTEM 


I.  Introduction 


1.1  Background 

The  Eederal  Aviation  Administration  (EAA)  is  upgrading  the  aging  National 
Airspace  System  (NAS)  to  a  higher  capacity  Next  Generation  Air  Transportation 
System  (NextGen).  A  major  component  of  the  new  Air  Traffic  Control  (ATC)  system  is 
Automatic  Dependent  Surveillance-Broadcast  (ADS-B),  which  upgrades  the  slow  and 
costly  Radar-based  surveillance  system  to  a  more  precise  and  efficient  position  reporting 
system  based  on  the  Global  Positioning  System  (GPS)  and  Wide  Area  Augmentation 
System  (WAAS)  [15], 

The  U.S.  Congress  has  mandated  through  the  Vision  100  -  Century  of  Aviation 
Reauthorization  Act  [64]  -  that  all  aircraft,  military  and  civilian,  update  their  equipment 
to  ADS-B  capable  transponders  by  the  year  2020.  Recent  research,  however,  has 
demonstrated  the  ease  with  which  ADS-B  messages  can  be  spoofed  and  false  traffic 
injected  into  the  ADS-B  domain  [38].  In  addition  to  the  danger  of  spoofed  or  non¬ 
existing  aircraft  appearing  in  the  ATC  system,  sensitive  traffic  can  be  easily  tracked  with 
the  aid  of  commercially  available  equipment.  As  example  of  a  potentially  malicious 
scenario,  an  anonymous  user  with  an  inexpensive  ADS-B  In  receiver  can  track  the  precise 
latitude,  longitude  and  altitude  of  Air  Eorce  One  or  other  aircraft  carrying  political 
dignitaries. 
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The  U.S.  military  has  identified  unique  applications  of  ADS-B  for  its  operations, 
but  is  concerned  with  the  Communications  Security  (COMSEC)  vulnerabilities  of  the 
system  [25].  As  such,  the  Department  of  Defense  (DoD)  has  asked  for  the  development 
of  encryption  and  jam/spoof  proofing  mechanisms  for  ADS-B.  The  U.S.  Navy  and 
Coast  Guard  use  the  Advanced  Encryption  Standard  (AES)  and  Blowfish  algorithms 
to  encrypt  the  Automatic  Identification  System  (AIS)  [46],  their  homologous  vessel 
tracking  system.  However,  the  non-standard  format  of  ADS-B  messages  and  the  legacy 
communication  channels  used  by  its  transponders  make  it  incompatible  with  traditional 
encryption  mechanisms.  Indeed,  traditional  encryption  mechanisms  require  a  message 
of  standard  size,  such  as  128-bit  blocks  for  the  AES  algorithm,  or  a  message  that  can  be 
padded  or  truncated  to  fit  the  expected  format.  ADS-B,  however,  reuses  existing  1090 
Mhz  Mode  S  channels  and  transponders  which  are  limited  to  transmitting  and  processing 
messages  that  are  112  bits  in  size. 

Eormat- Preserving  Encryption  (EPE),  a  recent  development  in  cryptography, 
provides  the  ability  to  encrypt  arbitrarily  formatted  data  without  padding  or  truncation 
[3].  The  National  Institute  of  Standards  and  Technology  (NIST)  recently  released  Draft 
SP800-38G  -  Recommendation  for  Block  Cipher  Modes  of  Operation:  Methods  for 
EPE  [10],  which  recommends  three  algorithms  for  Eormat-Preserving  Encryption.  The 
NIST  and  members  of  the  cryptography  community  suggest  that  EPE  algorithms  inherit 
the  security  characteristics  of  the  underlying  block  cipher  [48].  The  EEl,  EE2  and  EE3 
algorithms,  recommended  by  the  NIST  may  be  suitable  for  retrofitting  encryption  to  the 
ADS-B  system. 

An  alternate  solution  for  maintaining  the  Operational  Security  (OPSEC)  of  sensitive 
military  and  law  enforcement  aircraft  is  to  adapt  ADS-B  messages  for  use  within  the 
existing  military  Identification  Eriend  or  Eoe  (lEE)  transponders  [32].  lEE  transponders 
use  a  Type- 1  [29]  algorithm,  approved  by  the  National  Security  Agency  (NS A),  which  is 
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embedded  in  a  programmable  cryptographic  engine.  However,  Mode  5  Level  2  (M5L2) 
IFF  transponders  lack  a  well-defined  framework  for  precision  tracking,  and  suffer  from 
high  latency  which  leads  to  imprecise  position  messages.  The  M5L2-B  solution  for 
retrofitting  encryption  to  ADS-B  trades  accuracy  for  security.  This  leaves  the  Air  Force 
with  the  options  of  either  not  complying  with  the  2020  congressional  mandate,  using  the 
inaccurate  M5L2-B  position  reporting  system,  or  worst,  operating  with  the  unsecured 
ADS-B  system  and  sacrificing  OPSEC. 

A  more  desirable  solution  is  to  provide  security  while  maintaining  the  precision  and 
accuracy  of  the  existing  ADS-B  system.  A  Bump-in-the-Wire  (BITW)  FPE  cryptographic 
engine  could  be  retrofitted  to  existing  ADS-B  transponders  to  accomplish  that  task. 

Such  a  cryptographic  engine  would  have  to  meet  hardware  performance  requirements 
established  by  the  EAA  for  mission-critical  avionics  equipment  [17]. 

1.2  Motivation 

As  far  as  the  military  is  concerned,  the  NextGen  upgrade  is  insecure  as  designed, 
and  solutions  to  its  security  gaps  must  be  found  before  moving  towards  military 
implementation.  However,  the  EAA  maintains  that  the  upgraded  system  does  not  subject 
aircraft  to  any  increased  risk  compared  to  that  which  is  already  experienced  given  the 
current  surveillance  system  [17].  Nevertheless,  military  aircraft  manufacturers  have 
started  testing  unsecured  ADS-B  transponders  for  use  in  manned  and  Unmanned  Aerial 
Vehicles  (UAVs)  [22]. 

In  2013,  Einke  proposed  the  EEX  [2]  EPE  algorithm  for  use  within  the  Next 
Generation  Air  Transportation  System  [20].  Since  then,  the  NIST  has  reviewed  candidate 
algorithms  for  standardization  and  has  ofhcially  recommended  three  algorithms  for  EPE. 
At  the  time  of  this  writing,  the  NIST  has  not  released  details  of  its  internal  deliberations 
nor  performance  assessments  of  the  EEl,  EE2,  and  EES  algorithms. 
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1.3  Research  Objectives 

The  goal  of  this  research  is  to  determine  the  suitability  of  the  FFl,  FF2,  and  FF3 
algorithms  for  encryption  of  ADS-B  messages,  with  regards  to  security  and  performance. 

The  first  objective  is  to  evaluate  the  security  characteristics  of  each  algorithm  within 
a  representative  ADS-B  environment.  Part  of  the  objective  is  to  validate  the  hypothesis 
suggested  by  the  algorithm  designers  and  the  NIST  that  the  algorithms  inherit  the  strong 
security  characteristics  of  the  block  cipher  used  in  the  Feistel  round  function  [10,  41]. 

The  second  objective  is  to  evaluate  the  hardware  performance  of  each  algorithm  by 
measuring  operational  latency  and  resource  utilization  of  a  Field-Programmable  Gate 
Array  (FPGA)  implementation.  DO-260B  “Minimum  Operational  Performance  Standards 
for  1090  MHz  Extended  Squitter  Automatic  Dependent  Surveillance  -  Broadcast  (ADS- 
B)  and  Traffic  Information  Services  -  Broadcast  (TIS-B)”  [55]  specifies  timing  and 
latency  requirements  for  the  ADS-B  transponder.  The  performance  of  the  algorithms  is 
assessed  according  to  the  DO-260B  standard. 

Finally,  the  research  assesses  the  merits  of  a  BITW  FPE  cryptographic  engine 
implementing  EEl,  EE2  or  EES  for  retrofitting  security  to  existing  ADS-B  avionics 
equipment. 

1.4  Approach 

The  research  objectives  are  approached  through  modeling  and  simulation  in 
software,  and  measurement  of  a  hardware  implementation.  The  methodology  used 
to  evaluate  the  security  characterisitics  of  the  EEl,  EE2,  and  EES  algorithms  builds 
on  research  conducted  on  the  EEX  algorithm  by  Einke  [20] .  The  algorithms  are 
implemented  in  C  following  the  pseudocode  descriptions  provided  in  [10],  with  128-bit 
AES  as  the  underlying  block  cipher.  Pilot  experiments  determined  that  byte  alignment 
and  CPU  optimization  requirements  limit  the  C  programming  language  to  the  byte  as  its 
lowest  level  of  data  granularity.  Given  these  limitations,  only  104  of  the  available  107 


4 


encrypt-able  bits  of  the  ADS-B  message  are  encrypted.  The  algorithms  are  tested  with  a 
model  dataset  composed  of  incrementally  deterministic  messages  in  the  Fixed  Bytes  test, 
a  simulated  ADS-B  message  dataset  in  the  Fixed  Fields  test,  and  an  operational  ADS-B 
dataset  extracted  from  an  observed  Radar  track.  The  ENT  tool  [66]  is  used  to  measure 
the  Shannon  entropy  of  the  resulting  ciphertext.  Statistical  tests  are  conducted  to  compare 
the  ability  of  the  FPE  algorithms  to  produce  ciphertext  with  entropy  equal  to  or  greater 
than  that  of  a  random  sequence. 

Once  evaluated  in  software,  the  algorithms  are  implemented  in  VHDE.  The  hardware 
designs  are  simulated  and  synthesized  on  the  Virtex-6  EPGA  using  the  Xilinx  ISE 
14.6  design  suite.  An  Iterative  Eooping  architecture  is  used  to  implement  the  Eeistel 
structure  of  EPE.  Behavioral  simulation  tests,  Post-PAR  static  timing  analysis  and  device 
utilization  analysis  are  performed  on  each  design.  The  hardware  implementations  are 
compared  to  each  other  and  to  the  underlying  AES  core.  An  analysis  of  the  research 
results  details  the  security  and  performance  characteristics  of  each  algorithm  and 
suitability  for  use  in  a  BITW  EPE  cryptographic  engine  for  ADS-B  avionics  equipment. 

1.5  Organization 

Chapter  II  reviews  the  state  of  the  NAS,  discusses  operating  specifications  of 
ADS-B,  relevant  encryption  theory,  and  describes  the  EEl,  EE2,  and  EES  algorithms. 
Chapter  III  presents  the  methodology  for  evaluating  the  security  and  performance  of  the 
three  algorithms.  Chapter  IV  presents  the  results  of  the  experiments  and  an  analysis  of  the 
findings.  In  conclusion.  Chapter  V  summarizes  the  research  effort  and  offers  suggestions 
for  future  work. 
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II.  Background 


This  chapter  presents  necessary  background  information  and  examines  related 

research.  It  assesses  the  security  requirements  of  ADS-B,  a  key  component  of  the 
NextGen  ATC  system  and  presents  the  three  methods  for  Format-Preserving  Encryption 
recommended  by  the  NIST.  Finally,  it  surveys  the  software  and  hardware  requirements  of 
ADS-B  equipment  and  examines  the  suitability  of  FFl,  FF2,  and  FF3. 

2.1  The  National  Airspace  System 

Following  World  War  II,  an  increase  in  air  travel  in  the  United  States  prompted 
the  creation  of  the  Federal  Aviation  Agency  to  manage  the  nation’s  Air  Transportation 
System  (ATS)  [15].  The  NAS  was  then  created  and  has  evolved  into  a  complex  system- 
of-systems.  The  NAS  consists  of  a  network  of  air  navigation  facilities,  ATC  facilities, 
airports,  radar  stations,  radio  beacons,  and  the  panoply  of  rules  and  regulations  necessary 
to  provide  a  safe  and  efficient  flying  environment.  It  is  divided  into  21  Air  Route  Traffic 
Control  Centers  (ARTCCs),  each  responsible  for  a  regional  sector,  which  in  turn  manage 
more  than  690  ATC  facilities  with  associated  systems  and  equipment  in  order  to  provide 
radar  and  communication  services  to  aircraft  transiting  the  NAS  . 

In  aviation,  aircraft  operate  under  two  distinct  categories  of  operational  flight  rules: 
Visual  Flight  Rules  (VFR)  and  Instrument  Flight  Rules  (IFR).  Under  VFR,  typically 
used  by  General  Aviation  (GA)  aircraft  operating  under  18,000  feet,  the  pilot  is  primarily 
responsible  for  seeing  other  aircraft  and  maintaining  safe  separation.  This  ceiling  is  also 
known  as  Flight  Fevel  180  (FFl 80).  Under  IFR,  used  by  commercial  and  other  high- 
performance  aircraft  operating  above  FFl 80,  ATC  is  primarily  responsible  for  providing 
aircraft  separation  in  a  controlled  airspace  [16].  Aircraft  operating  under  IFR  typically 
fly  along  predefined  airways  and  rely  on  controllers  to  detect  route  conflicts  and  provide 
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navigational  direction  in  order  to  maintain  safe  separation.  In  2007  alone,  FAA  towers 
logged  approximately  48,200,000  instrument  operations  of  which  30  percent  were  air 
carrier,  27  percent  air  taxi,  37  percent  general  aviation,  and  6  percent  military  [15].  The 
FAA  projects  a  growth  in  the  commercial  aviation  space  from  approximately  750  million 
in  2012  to  an  unprecedented  1.15  billion  enplaned  passengers  by  2033,  as  shown  in 
Figure  2.1.  Air  traffic  controllers  currently  handle  9  to  15  aircraft  at  any  one  point  [24]. 
With  the  projected  increase  in  air  traffic,  experts  believe  controllers  could  be  required 
to  handle  up  to  45  aircraft  at  any  one  point,  a  situation  that  is  completely  unsafe  and 
infeasible  to  manage  [27]. 
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Figure  2.1:  FAA  Passenger  Enplanement  Forecast  [14] . 
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Since  the  advent  of  the  FAA  in  1958,  advances  in  radar  technology,  navigation 
technology,  and  aircraft  avionics  have  enabled  significant  expansion  of  the  ATC  system. 
However,  the  system  is  now  approaching  its  operating  limits  and  the  FAA  is  looking 
to  improvements  in  communication  and  navigation  instruments  to  bring  about  an 
evolution  towards  Free  Flight  [15].  Free  Flight  is  a  concept  which  minimizes  the  role 
of  ATC  operators  and  gives  responsibility  to  aircrews  to  make  flight  path  decisions  in  a 
cooperative  and  distributed  decision-making  process.  Currently,  ATC  constrains  airplanes 
under  its  control  to  fly  on  fixed  airways  that  are  covered  by  ground-based  radar  and 
navigation  beacons.  Under  Free  Flight,  pilots  could  file  a  flight  plan  and  make  changes  en 
route  without  contacting  ATC.  This  freedom  would  allow  the  crew  to  select  the  shortest, 
most  fuel-efficient  route  or  the  most  comfortable  flight  level.  Free  Flight,  however,  can 
only  be  effective  if  aircraft  are  equipped  with  accurate  position  determination,  collision 
avoidance  and  data  communications  equipment  [26]. 

2.2  The  Next  Generation  Air  Transportation  System 

The  current  NAS,  designed  in  1982,  relies  on  legacy  infrastructure  and  antiquated 
technology  [15].  The  NextGen  is  scheduled  for  implementation  across  the  United 
States  in  stages  between  2012  and  2025.  This  transformation  aims  to  enhance  safety, 
reduce  delays,  save  fuel  and  reduce  aircraft  exhaust  emissions,  in  addition  to  its  primary 
mission  of  enabling  sustainment  of  the  increasing  demand  in  air  transportation  across  the 
country  [18].  NextGen  was  approved  in  2003  by  the  U.S.  Congress,  and  signed  into  law 
through  the  Vision  100  -  Century  of  Aviation  Reauthorization  Act  [64].  NextGen  and 
Europe’s  upcoming  Single  European  Sky  (SES)  system,  will  contribute  to  the  delivery 
of  the  International  Civil  Aviation  Organization  (ICAO)’s  One  Sky  vision  -  a  seamless, 
performance-based  global  air  navigation  system  [56]. 

The  NextGen  overhaul  to  the  NAS  includes  transformational  programs  for: 

(i)  satellite-based  navigation,  (ii)  collaborative  air  traffic  management,  (iii)  data 
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communications,  (iv)  network-enabled  weather  services,  (v)  digital  voice  communication 
technology,  and  (vi)  improvements  to  the  NAS  network  infrastructure  [18].  One  of 
the  most  significant  changes  is  the  inclusion  of  the  ADS-B  system  which  is  intended 
to  improve  surveillance  capabilities  of  ATC  and  enable  precision  traffic  separation 
and  routing.  The  FAA  Reauthorization  Bill  of  2010  mandates  that  all  aircraft  (GA, 
commercial,  and  military)  operating  within  the  NAS  be  equipped  with  ADS-B  Out  by 
2020  [64].  ADS-B  Out  is  the  requisite  transponder  technology  which  enables  aircraft 
to  transmit  messages  to  ground  stations  and  ADS-B  In  equipped  aircraft.  ADS-B  In 
technology  enables  the  user  to  receive  and  process  ADS-B  messages  from  nearby 
transmitters.  Note  that  lawmakers  are  considering  making  ADS-B  In  mandatory  in  the 
near  future  [18]. 

The  current  NAS  relies  on  ground-based  Radio  Detection  and  Ranging  (Radar)  for 
aircraft  surveillance.  Primary  Surveillance  Radar  (PSR)  uses  a  network  of  ground-based 
stations  which  can  detect  targets  within  a  range  of  approximately  75  nautical  miles  (NM) 
[26].  PSR  locates  a  target  using  the  antenna  angle  at  the  time  of  transmission,  and  the 
elapsed  time  before  the  backscattered  signal  is  received.  Note  that  this  information  is  two- 
dimensional,  while  aircraft  exist  in  a  three-dimensional  world.  Secondary  Surveillance 
Radar  (SSR)  adds  two  supplemental  data  points  about  the  target  aircraft,  and  is  based  on 
the  IFF  system  introduced  in  World  War  II.  The  SSR  emits  an  interrogation  signal,  and 
aircraft  in  the  coverage  area  equipped  with  a  compatible  transponder  reply  with  altitude 
and  identification  information.  The  current  ground-based  Radar  system  requires  large 
rotating  antennas  that  are  costly  to  maintain,  suffer  from  significant  coverage  gaps,  and 
are  slow  to  update  [50].  The  Radar  system  has  a  refresh  rate  of  about  12  seconds,  which 
is  slow  for  aircraft  moving  at  200-1-  knots,  and  can  be  precise  only  up  to  300  meters. 
ADS-B  employs  the  same  onboard  transponder  technology  and  communication  channel 
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as  SSR,  but  offers  an  improved  refresh  rate  of  half  a  second  (2  Hz),  as  well  as  precision  of 
up  to  20  meters  [38,  50]. 

2.3  Automatic  Dependent  Surveillance-Broadcast 

The  concept  of  Automatic  Dependent  Surveillance  (ADS)  was  first  introduced  by 
the  ICAO  in  the  1980s  and  outlined  in  the  Future  Air  Navigation  System  (FANS)  plan 
[8,  20].  ADS-B  is  Automatic  in  that  it  does  not  require  interrogation  from  the  ground  or 
other  aircraft.  It  is  Dependent  because  it  relies  on  information  from  aircraft  sensors  and 
other  onboard  equipment  to  provide  Surveillance  services.  Finally,  and  most  critical  to 
this  research,  ADS-B  indiscriminately  Broadcasts  its  data  to  all  users  within  range. 

ADS-B  enables  pilots  and  ATC  to  share  and  display  the  same  information.  It  relies 
on  the  Global  Positioning  System  (GPS)  and  other  satellite  navigation  tools  such  as  the 
Wide  Area  Augmentation  System  (WAAS)  to  accurately  determine  an  aircraft’s  position. 
The  precise  location,  along  with  other  data  such  as  aircraft  identification,  airspeed, 
altitude,  and  heading  gathered  from  the  aircraft’s  Flight  Management  System  (FMS),  are 
relayed  to  ground  stations  and  other  equipped  aircraft  as  shown  in  Figure  2.2  [15]. 

The  FAA  has  identified  two  options  for  equipage  under  the  ADS-B  mandate:  the  978 
MHz  UAT  and  the  1090  MHz  ES  [17].  The  978  MHz  Universal  Access  Transceiver  is 
a  new  data  link  designed  specifically  for  GA  aircraft  which  can  process  ADS-B  along 
with  Flight  Information  Services-Broadcast  (FIS-B)  and  Traffic  Information  Services- 
Broadcast  (TIS-B).  The  1090  MHz  Extended  Squitter  link  uses  an  existing  message  type 
supported  by  Mode  S  transponders  to  transmit  ADS-B  messages.  A  squitter  message 
or  a  squawk  is  a  transmitted  message  not  invoked  by  any  interrogation.  The  1090  MHz 
channel  is  the  internationally  adopted  broadcast  frequency,  designated  for  commercial  and 
high-performance  aircraft,  and  is  the  focus  of  this  research.  An  ADS-B  squitter  is  1 12  bits 
wide  and  120  ps  long  with  an  8  ps  preamble.  As  shown  in  Eigure  2.3,  56  of  the  1 12  bits 
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Ground  Station 


Figure  2.2:  Major  Components  of  the  ADS-B  System  [38]. 


are  for  ADS-B  specific  data  to  include  altitude,  latitude  and  longitude.  The  remaining  bits 
are  used  for  the  message  format,  transponder  capability,  aircraft  address  or  identifier,  and 
a  parity  check  for  data  integrity. 


I  5  bits  I  3  bits  |  24  bits  |  56  bits  |  24  bits  | 


Preamble 

Downlink 

Format 

Capability 

Aircraft 

Address 

ADS-B 

Data 

Parity 

Check 

Figure  2.3:  ADS-B  Message  Data  Link  Layer  [38]. 
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2.3.1  Logistical  Advantages  of  ADS-B. 

The  ADS-B  system  adds  functionality  to  the  NextGen  upgrade  while  reusing  the 
existing  1090  MHz  broadcast  frequency  and  Mode  S  transponder  technology. 

One  of  the  primary  advantages  of  ADS-B  is  its  ability  to  provide  coverage  where 
Radar  is  not  available.  This  is  particularly  relevant  in  transoceanic  flight  where  viable 
locations  for  Radar  stations  are  minimal.  Indeed,  a  few  strategically  placed  ADS-B 
broadcast  stations,  in  addition  to  rebroadcasting  ADS-B  In-equipped  aircraft,  will 
enhance  transoceanic  coverage  [37].  Another  advantage  is  the  smaller  footprint  of 
ADS-B  facilities,  which  allows  the  FAA  to  deploy  broadcast  stations  on  structures 
such  as  oil  rigs  many  miles  out  from  land.  In  addition  to  a  smaller  footprint,  operation 
and  maintenance  of  ADS-B  equipment  is  significantly  cheaper  than  Radar,  costing 
approximately  $100-$400  thousand  per  ADS-B  station  versus  $l-$4  million  for  a  radar 
station  [28,37]. 

Alaska’s  Capstone  program,  an  experiment  in  testing  ADS-B  technology  and  its 
effect  on  air  traffic  controller  workload,  showed  a  significant  reduction  in  stress  and  an 
increase  in  efficiency.  During  the  trial  period,  208  aircraft  were  equipped  with  ADS- 
B  and  normal  flights  in  and  out  of  the  Alaskan  region  were  monitored.  After  program 
completion,  surveys  of  controllers  found  that  57%  said  they  had  spent  less  time  providing 
IFR  separation  services,  and  79%  felt  their  overall  efficiency  increased  with  ADS-B 
[37,  57].  These  advantages,  which  enable  the  FAA  to  accomplish  its  mission  more 
effectively  and  at  lower  cost,  have  sparked  the  interests  of  other  prominent  actors  in  the 
aviation  world,  notably  the  United  States  Armed  Forces. 

2.3.2  Military  Applications. 

The  U.S.  Air  Force  has  identified  benefits  associated  with  the  transition  to  NextGen 
and  particularly  the  ADS-B  technology.  The  Air  Force  operates  three  types  of  missions: 
Open,  Sensitive,  and  Covert  [25].  ADS-B  technology  could  be  employed  in  one  or  all 
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of  these  mission  types  if  eneryption  and  jam/spoof  resistanee  features  are  developed. 
Speeifieally,  ADS-B  eould  enhanee  safety  and  mission  eapabilities  in  Air  Refueling 
(AR),  Formation  Flying,  Rendezvous,  Fighter  Intereept,  Air  Combat  Maneuvering 
Instrumentation  (ACMI)  missions,  and  preeision  Airdrop  [12,  25].  These  military-unique 
applieations  for  ADS-B  were  identified  in  2001  -  13  years  ago;  however  the  Air  Foree  has 
not  yet  ratified  these  proposals. 

Nevertheless,  military  aireraft  manufaeturers  have  started  testing  ADS-B  teehnology 
for  use  in  manned  and  Unmanned  Aerial  Vehiele  (UAV).  General  Atomies-Aeronautieal 
Systems  Ine,  a  major  defense  eontraetor,  has  tested  a  BAE  Systems-developed  military 
grade  IFF  transponder  with  ADS-B  In  and  ADS-B  Out  eapabilities  for  use  within  its 
Airborne  Sense- And- Avoid  arehiteeture  (ABSAA)  [22].  The  test  was  part  of  a  series 
of  demonstrations  aiming  to  prove  that  UAVs  ean  fly  eooperatively  and  safely  in  the 
National  Airspaee  System.  Note  that  the  Sense-And- Avoid  arehiteeture  in  development 
eould  also  be  used  in  the  future  by  autonomous  swarms  of  UAVs  for  preeise  formation 
flight.  However,  many  issues  with  the  ADS-B  system  must  be  addressed  before  it  is 
deployed  in  sueh  safety  eritieal  systems. 

The  military  eonsiders  the  laek  of  eneryption  and  jam/spoof  resistanee  features  in 
ADS-B,  a  signifieant  OPSEC  risk  [25].  In  response,  the  EAA  maintains  that  the  upgraded 
surveillanee  system  does  not  subjeet  aireraft  to  any  inereased  risk  eompared  to  that 
whieh  is  already  experieneed  given  the  eurrent  surveillanee  system  [17].  However,  GA 
and  military  aireraft  operate  under  different  risk  profiles.  A  military  aireraft  eondueting 
an  Open  mission  may  aeeept  the  same  risk  profile  as  a  GA  aireraft.  However,  eertain 
missions  require  mueh  more  stringent  OPSEC. 

2.3.3  Operational  Security. 

The  United  States  DoD  Poliey  Board  on  Eederal  Aviation  (PEBA)  has  stated  that  the 
EAA  “needs  to  eontinue  to  work  with  DoD  and  DHS  to  ensure  that  eoneerns  about  ADS- 
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B  security  are  adequately  addressed”  [5].  Specifically,  DoD  policy  makers  are  intent  on  a 
“requirement  to  develop  operational  procedures  for  special  [US  Government]  flights  (such 
as  low  observable  surveillance  aircraft,  UASs,  combat  air  patrol  missions,  counter-drug 
missions,  counter-terrorism  missions,  VIP  transport,  law  enforcement  surveillance,  etc)” 

[5]. 

A  concern  with  ADS-B  is  the  ability  of  any  individual  to  purchase  commercially 
available  equipment  that  is  capable  of  receiving  ADS-B  messages  and  monitoring  air 
traffic.  As  an  example  of  the  potentially  malicious  use  of  such  information,  the  mobile 
application  Plane  Finder  AR  allows  a  user  to  aim  a  smart  phone  at  a  passing  aircraft,  and 
the  application  queries  an  Internet  database  for  flight  information  including  call  sign, 
altitude,  current  heading,  origin/destination  and  relative  distance  from  the  user’s  current 
position  [20,  38].  Since  early  warfare,  opposing  forces  have  tried  to  track  and  maintain 
an  accurate  count  of  one  another’s  forces.  Such  tracking  and  targeting  capability  for  such 
low  cost,  is  a  major  OPSEC  risk  for  military  and  law  enforcement  operations  [38]. 

2.3.4  Communications  Security. 

COMSEC  is  the  discipline  of  preventing  unauthorized  interceptors  from  accessing 
telecommunications  in  an  intelligible  form,  while  still  delivering  content  to  the 
intended  recipients.  The  CIA  model  encompasses  the  three  core  security  principles 
of  Confidentiality,  Integrity,  and  Availability  (CIA)  [63].  Confidentiality  refers  to 
preventing  the  disclosure  of  information  to  unauthorized  parties.  Integrity  refers  to 
maintaining  the  accuracy  of  the  data  throughout  the  transmission  lifecycle.  Availability 
refers  to  preventing  disruptions  to  the  transmission  and  that  the  data  remains  accessible  to 
authorized  parties. 

Researchers  have  analyzed  the  security  vulnerabilities  of  ADS-B.  In  [38],  McCallie 
et  al.  provided  a  taxonomy  of  attacks  against  ADS-B.  The  ADS-B  system  can  be  attacked 
through  individual  avionics  components,  during  message  transmission,  and  through  the 
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backbone  network  used  to  share  data  between  ARTCCs.  The  most  probable  attaek  veetors 
are  those  aimed  at  exploiting  ADS-B  messages  being  transmitted  and  reeeived  by  an 
aireraft  [38].  Speeifieally,  the  use  of  plaintext  broadeasts  by  ADS-B  allows  messages 
to  be  spoofed,  replieated,  or  modified.  Of  the  six  various  forms  of  attaeks  against 
NextGen  outlined  in  [38],  three  inelude  the  injeetion  of  false  ADS-B  messages.  Reeent 
presentations  at  the  Blaek  Hat  [37]  and  Def  Con  20  [20]  eonferenees  have  demonstrated 
the  ability  to  generate  and  broadeast  false  messages  with  relative  ease  and  at  low  eost.The 
DoD  has  asked  for  the  development  of  eneryption  and  jam/spoof  proofing  meehanisms 
[25]  to  proteet  the  Confidentiality  and  Availability  of  messages  being  transmitted  and 
reeeived  by  aireraft  [61].  Note  that  ADS-B  already  provides  Integrity  through  the  use 
of  a  parity  eheek. 

One  approaeh  for  adding  eneryption  and  jam/spoof  proofing  to  ADS-B  is  to  adapt 
ADS-B  messages  for  use  within  the  existing  military  Identifieation  Friend  or  Foe  (IFF) 
transponders.  The  United  States  military  and  North  Atlantie  Treaty  Organization  (NATO) 
allies  are  eurrently  equipped  with  the  Mark  XIIA  Mode  5  system  for  airborne  IFF  as 
defined  by  NATO  STANAG  4193  [45].  Confidentiality  in  Mode  5  is  provided  by  a 
NSA-approved  Type-1  algorithm  embedded  in  a  programmable  eryptographie  engine 
[32].  The  Mode  5  waveform  uses  minimum  shift  keying  (MSK)  modulation  and  spread 
speetrum  teehniques  to  realize  a  proeessing  gain  waveform  and  insure  the  Availability 
of  the  message  [32].  Mode  5  Level  1  (M5L1)  is  eurrently  fielded  and  offers  signifieant 
improvements  in  seeure  friend  determination  over  the  legaey  Mode  4.  M5L2  is  a  new 
asynehronous  mode  for  seeure  self  reporting,  with  ability  to  report  GPS  data  in  77  bit 
taetieal  data  report  messages.  M5L2  ean  provide  up  to  16  message  formats,  1 1  of  whieh 
are  reserved  for  standard  IFF,  and  5  are  proposed  for  assignment  to  Military  ADS-B 
funetions  [32].  A  1 12  bit  ADS-B  message  would  be  reformatted  to  fit  into  a  77  bit  M5L2 
message  as  shown  in  Figure  2.4. 
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Figure  2.4:  An  Airborne  Position  ADS-B  message  eonverted  into  a  M5L2  message  [32]. 


Unfortunately,  M5L2  does  not  have  a  well  defined  framework  for  preeision  traeking. 
Traditional  ADS-B  transponders  ean  extrapolate  the  latest  GPS  position  information  every 
200  milliseeonds  to  ensure  that  the  broadeasted  message  is  as  aeeurate  as  possible.  M5L2, 
however,  laeks  this  eapability  and  has  a  mueh  higher  lateney  whieh  leads  to  impreeise 
position  messages.  Figure  2.5  shows  a  eomparison  of  the  traeking  performanee  of  ADS-B 
and  M5L2.  The  preeision  of  the  position  broadeast  ean  be  eritieal  for  aireraft  travelling  at 
hundreds  and  sometimes  thousands  of  knots. 

Although  M5L2  is  a  defined  standard,  there  is  no  identified  mandate  date  for  its 
deployment  [62].  M5L2  may  not  be  fielded  for  several  years  or  decades,  leaving  the  Air 
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Time  (seconds) 

Figure  2.5:  Position  Extrapolation  for  Tracking:  ADS-B  vs.  M5L2-B  [62]. 


Force  with  the  options  of  either  not  complying  with  the  2020  congressional  mandate,  or 
operating  with  an  insecure  ADS-B  system  and  sacrificing  OPSEC. 

2.4  The  Automatic  Identification  System 

The  AIS  is  the  naval  homologue  of  ADS-B  and  is  used  for  collision  avoidance, 
Vessel  Traffic  Services  (VTS),  search  and  rescue,  accident  investigation  and  for  Aids  to 
Navigation  (AtoN).  In  2000,  the  International  Maritime  Organization  (IMO)  mandated 
the  fitting  of  the  Automatic  Identification  System  on  all  international  voyaging  ships  by 
1  July  2004.  Subsequently,  the  requirement  was  expanded  to  all  commercial  ships  with 
gross  tonnage  of  300  or  more  tons,  and  all  passenger  ships  regardless  of  size  [46].  To 
resolve  the  OPSEC  risk,  the  NATO  sought  to  add  encryption  to  AIS.  Standards  agencies 
started  developing  a  secure  AIS  for  warships  in  2004,  resulting  in  the  Warship-Automatic 
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Identification  System  (W-AIS)  which  is  defined  in  the  NATO  Standard  Agreement 
(STANAG)4668  [46], 

The  NATO  released  a  first  edition  of  STANAG  4668  in  2007,  and  a  revised  edition 
in  2010.  To  reduce  the  need  for  a  costly  acquisition  process,  W-AIS  is  based  on  the 
commercial  AIS  transponder  specifications  defined  in  ITU-R  M.1371  [30]  with  add-on 
encryption  units.  According  to  STANAG  4668,  the  W-AIS  may  be  operated  in  Protected, 
Active,  Passive  or  Off  modes.  In  the  Protected  mode  of  operation,  “The  W-AIS  shall 
receive  and  transmit  information  protected  by  commercial  grade  encryption.  The  W-AIS 
shall  still  receive  all  unencrypted  transmissions  from  commercial  AIS  equipped  ships 
within  range”  [46] .  The  W-AIS  may  implement  the  Blowfish  open  source  commercial 
encryption  or  the  AES  algorithm  for  protection  of  data,  as  shown  in  Figure  2.6.  The 
encrypted  content  is  transmitted  in  a  time  slot  designated  for  its  specific  message  format 
in  the  AIS  Time-Division  Multiple  Access  (TDMA)  scheme. 


Figure  2.6:  W-AIS  Block  Diagram.  Modified  from  [46]. 


AES  and  Blowfish  are  symmetric  encryption  schemes  requiring  each  party  in 
the  trust  ring  to  know  the  pre-shared  encryption  key.  With  this  scheme,  warships  and 
other  military  vessels  are  able  to  form  trusted  networks  for  sensitive  operations,  while 
maintaining  situational  awareness  of  other  ships  in  the  vicinity.  A  key-attribute  that 
enables  the  use  of  the  AES  and  Blowfish  algorithms  in  W-AIS,  is  the  standard  256-bit 
size  of  the  AIS  message  [30]. 
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ADS-B  transmits  a  112  bit  message  whieh  is  not  suitable  for  eneryption  with 
traditional  eneryption  algorithms.  Eneryption  algorithms  are  typieally  designed  to  work 
with  message  bloeks  of  size  64  or  128  bits,  and  pad  non-standard  length  messages  to 
a  round  multiple  of  the  bloek  size.  Padding  is  not  an  option  with  ADS-B  beeause  of 
requirements  for  eompatibility  with  legaey  Mode  S  transponders. 

2.5  Format-Preserving  Encryption 

Eneryption  is  the  mathematieal  manipulation  of  data  in  sueh  a  way  as  to  make  it 
unintelligible  to  unauthorized  parties,  yet  reeoverable  by  the  intended  reeipients.  In  the 
basie  eommunieation  seenario,  depleted  in  Eigure  2.7,  there  are  two  parties,  Aliee  and 
Bob,  who  want  to  eommunieate  with  eaeh  other  over  an  unseeured  ehannel.  A  third  party. 
Eve,  is  a  potential  eavesdropper  who  may  gain  aeeess  to  messages  sent  over  the  unseeured 
ehannel.  When  Aliee  wants  to  send  a  message  to  Bob,  ealled  the  plaintext,  she  enerypts  it 
using  a  method  prearranged  with  Bob.  When  Bob  reeeives  the  enerypted  message,  ealled 
the  eiphertext,  he  ehanges  it  baek  to  the  plaintext  using  a  deeryption  key  [63]. 


Encryption  Decryption 

Key  Key 


Eigure  2.7:  The  Basie  Communieation  Seenario  for  Cryptography  [63]. 
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Many  encryption  algorithms  are  widely  available  today  and  used  in  information 
security  as  shown  by  the  hierarchy  in  Figure  2.8.  They  can  be  categorized  into  symmetric 
(Private-key)  and  asymmetric  (Public-key)  algorithms.  In  symmetric  key  encryption,  only 
one  key  is  used  for  encryption  and  decryption.  The  key  must  be  distributed  offline  before 
transmission  between  Alice  and  Bob.  In  asymmetric  encryption,  two  keys  are  used.  A 
public  key  is  used  for  encryption  and  a  private  key  is  used  for  decryption,  with  each  party 
having  a  unique  key  set.  This  resolves  the  problem  of  key  distribution,  but  requires  more 
complex  and  computationally  intensive  mathematical  operations. 


Figure  2.8:  Hierarchy  of  Modern  Cryptography  [13]. 


Within  symmetric  key  encryption,  there  exist  block  ciphers  and  stream  ciphers 
[63].  Stream  ciphers  encipher  the  plaintext  one  digit  at  a  time  and  concatenate  these 
independent  encryptions  to  form  the  ciphertext.  Stream  ciphers  are  fast  but  are  prone  to 
weaknesses  in  integrity  protection  and  authentication.  On  the  other  hand,  block  ciphers 
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encipher  fixed-length  groups  of  plaintext  digits.  Block  ciphers  are  slower  but  their 
mechanism  ensures  the  security  properties  of  confusion  and  ditfusion.  Confusion  means 
that  the  key  does  not  relate  in  a  simple  way  to  the  ciphertext,  and  refers  to  making  the 
relationship  as  complex  as  possible  between  the  key  and  the  ciphertext  by  using  the  key 
non-uniformly  throughout  the  encryption  process.  Ditfusion  means  that  changing  a  single 
character  in  the  plaintext  causes  several  characters  in  the  ciphertext  to  change,  and  vice 
versa.  For  a  stream  cipher  to  be  secure,  its  keystream  must  have  a  large  period;  meaning 
that  a  complex  key  management  scheme  is  required.  Block  ciphers  are  predominantly 
used  in  modern  day  cryptography  [63],  and  three  in  particular  -  AES,  3DES,  and 
Skipjack  -  are  recommended  for  use  by  the  NIST  [10]. 

In  the  context  of  ADS-B,  previous  research  [20,  31]  has  unanimously  supported  the 
use  of  a  symmetric  algorithm.  Using  an  asymmetric  algorithm  in  the  NAS  would  require 
each  aircraft  to  identify  and  maintain  awareness  of  neighboring  traffic  and  ground  stations 
in  order  to  select  the  pertinent  keys  for  encrypting  each  message  transmission  [31].  The 
associated  overhead  would  likely  negate  the  benefits  that  ADS-B  affords  by  impeding  the 
message  transmission  rate  [20].  Symmetric  algorithms  are  computationally  more  efficient 
than  asymmetric  algorithms;  however,  key  management  becomes  a  greater  concern.  Any 
compromise  of  the  key  at  any  point  compromises  the  fidelity  of  the  entire  security  system. 
While  the  logistics  of  key  management  will  need  to  be  addressed,  its  implementation  is 
beyond  the  scope  of  this  research. 

In  determining  an  appropriate  symmetric  algorithm,  ADS-B  system  functionality 
must  be  considered.  Erequent  ADS-B  broadcasts  include  only  minor  changes  to  data 
fields.  To  protect  the  system  from  known  plaintext  attacks,  it  is  necessary  that  repeated 
patterns  in  plaintext  be  diffused  in  the  ciphertext.  As  such,  a  block  cipher  algorithm  is 
most  appropriate  for  use  in  the  ADS-B  operating  environment  [20,  31]. 
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The  aforementioned  block  cipher  algorithms  approved  by  the  NIST,  such  as  AES 
are  predicated  on  encrypting  precisely  64,  128  or  256  bit  blocks  [13,  63]  .  The  128-bit 
message  space  was  conventional  for  the  cryptographic  community  and  convenient  for 
the  AES  designers  [52].  Messages  that  do  not  fit  the  prescribed  block  size  are  typically 
padded  or  truncated.  This  is  incompatible  with  ADS-B,  as  the  underlying  hardware  and 
protocol  frameworks  are  designed  specific  to  the  112  bit  fixed  data  length.  Indeed,  an 
encryption  scheme  that  supports  arbitrary  block  size  is  required. 

2.5.1  History  ofFPE. 

EPE  is  an  encryption  scheme  that  supports  arbitrary  block  sizes.  Given  any  finite 
set  of  symbols,  EPE  transforms  data  that  is  formatted  as  a  sequence  of  symbols  in  such 
a  way  that  the  encrypted  form  of  the  data  has  the  same  format  and  length  as  the  original 
data.  Encrypting  a  16-decimal-digit  plaintext  such  as  a  credit-card  number  results  in  a 
ciphertext  that  is  also  a  16-decimal-digit  number.  A  shared  key  K  is  used  to  control  the 
encryption.  Syntactically,  a  map  E  :  K  xX  ^  Xis  sought  in  which  X  encodes  16-digit 
strings  and  E^  =  E{K,  ■)  is  a  permutation  for  each  K  6  .ST  [52]. 

The  origins  of  the  EPE  problem  can  be  traced  back  33  years.  In  1981,  the  US 
National  Bureau  of  Standards  (later  to  become  NIST)  published  EIPS  74  [42],  an 
appendix  of  which  describes  an  approach  for  enciphering  arbitrary  strings  over  an 
arbitrary  alphabet.  The  scheme  was  subsequently  proven  to  be  insecure  [2].  It  was  not 
until  1997,  that  Brightwell  and  Smith  clearly  and  generally  described  the  EPE  problem 
and  its  utility,  which  they  called  at  the  time  “datatype-preserving  encryption”  [3].  Black 
and  Rogaway  brought  the  problem  back  to  the  attention  of  the  cryptographic  community 
in  2002  [3].  In  2003,  Terrence  Spies  proposed  the  EESEM  [59]  EPE  algorithm  to  NIST. 

2.5.2  Premise  ofFPE. 

The  development  of  EPE  was  motivated  by  the  desire  to  add  security  to  legacy 
protocols  and  systems.  In  such  systems,  one  of  the  barriers  to  the  adoption  of  effective 
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encryption  methods  is  the  cost  of  modifying  databases  and  applications  to  accommodate 
encrypted  information.  First,  applications  often  expect  input  in  specific  formats,  so 
the  encrypted  data  must  retain  the  data  format.  Second,  data  such  as  Social  Security 
Numbers  or  personal  account  numbers  are  often  used  as  keys  or  indices  in  the  database, 
so  randomization  of  these  fields  requires  significant  schema  changes  [52,  60].  Black  and 
Rogaway  describe  the  need  for  a  deterministic  FPE  algorithm  in  [3],  meaning  every  time 
a  particular  message  X  is  encrypted  with  a  particular  key  K,  the  exact  same  ciphertext  Y  is 
created  and  no  additional  information  is  needed  to  reverse  the  process. 

Black  and  Rogaway  proposed  three  methods  for  FPE:  a  Prefix  method,  a  Cycle- 
Walking  Cipher  and  a  Eeistel  Construction  [3].  The  first  two  methods  have  strong 
security  bounds,  but  are  targeted  for  tiny-space  and  small-small  space  messages.  Eor  tiny- 
space  EPE,  the  size  of  the  message  space  N  =  \X\  is  so  small  that  it  is  feasible  to  spend 
0(N)  time  or  0(N)  space  in  order  to  encrypt  or  decrypt  a  point  [52].  Eor  small-space 
EPE,  the  size  of  the  message  space  N  =  |X|  is  at  most  2^  where  w  is  the  block  size  of  the 
block  cipher  underlying  the  EPE  scheme  [40].  AES  is  often  used  as  the  block  cipher,  so 
w  =  128  bits  and  N  =  2^^^  «  cutoff  for  “small”  .  The  third  method  encrypts  a 

much  wider  variety  of  data  using  the  Eeistel  construction  first  formally  examined  by  Euby 
and  Rackoff  in  1988  [36].  The  Eeistel  construction  has  the  desirable  property  that  its 
ciphers  can  be  proven  to  reduce  to  the  underlying  block  cipher  used  in  the  round  function 
[48]. 

EPE  schemes  are  generalizations  of  block  ciphers,  and  rely  on  time  tested, 
community-engendered  confidence  in  the  underlying  cipher  for  security  merit.  The 
Eeistel  method  has  been  the  most  well-known  approach  for  making  block  ciphers  for  35 
years  [41].  It  turns  a  block  cipher  into  a  pseudorandom  function  while  maintaining  its 
strong  provable-security  guarantees,  and  has  been  standardized  by  ANSI,  ISO  and  NIST 
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[67].  Effective  attacks  on  Feistel-based  constructions  seldom  attempt  to  attack  the  Feistel 
structure  itself,  but  look  instead,  for  defects  in  the  round  function  used  [52]. 

In  2010,  Mihir  Bellare,  Terence  Spies,  and  Phillip  Rogaway  submitted  to  the  NIST 
specifications  for  FFX  [2],  a  Format-preserving  Feistel-based  encryption  scheme.  The 
X  stands  for  the  various  implementation  forms  of  the  algorithm  tailored  to  suit  each 
particular  application.  Note  that  FFX  was  derived  from  the  previous  FFSEM  proposal 
by  Spies. 

2.5.3  Security  of  FFX  within  the  ADS-B  environment. 

A  recent  study  by  Finke  [20]  tested  the  FFX  algorithm  as  proposed  in  [2]  within 
the  ADS-B  environment.  The  algorithm’s  ability  to  encrypt  and  mask  predictable 
ADS-B  messages  was  measured  using  classical  Shannon  entropy.  Experimental  results 
demonstrated  the  utility  of  FFX  encryption  based  upon  its  ability  to  confuse  and  diffuse 
ADS-B  message  content. 

In  July  2013,  NIST  released  a  draft  recommendation  for  format-preserving  modes  of 
operation  for  block  ciphers  [10].  The  release  recommended  two  additional  algorithms 
in  addition  to  a  modified  version  of  FFX,  along  with  specified  parameters  to  narrow 
variances  in  implementation. 

2.6  NIST  Recommendations  for  Format-Preserving  Encryption 

The  NIST  is  responsible  for  developing  information  security  standards  and 
guidelines,  including  minimum  requirements  for  Federal  information  systems  [44].  In 
July  2013,  the  NIST  released  a  draft  of  Special  Publication  800-38G  (SP800-38G)  [10] 
for  public  comment,  specifying  three  methods  for  format-preserving  encryption,  called 
FFl,  FF2,  and  FF3.  Each  of  these  methods  is  a  mode  of  operation  of  the  AES  algorithm, 
which  is  used  to  construct  a  round  function  within  the  Feistel  structure  for  encryption  as 
shown  in  Figure  2.9. 
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The  three  modes  speeified,  FFl,  FF2  and  FF3,  were  submitted  to  NIST  under  the 
names  FFX [Radix]  [2],  VAES3  [65],  and  BPS-BC  [4],  respeetively.  FFl  supports 
the  greatest  range  of  lengths  for  the  proteeted  data  and  the  tweak  [10].  FF2  generates 
a  subkey  for  the  bloek  eipher  in  the  Feistel  round  funetion,  whieh  ean  help  proteet 
the  original  key  from  side-ehannel  analysis.  FF3  offers  the  lowest  round  eount,  eight, 
eompared  to  ten  for  FFl  and  FF2,  and  is  the  least  flexible  in  the  tweaks  that  it  supports 
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Figure  2.9:  Illustration  of  the  Feistel  Strueture  of  FPE  [10]. 
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2.6.1  FFl. 


The  FFl  algorithm  is  derived  from  Bellare,  Rogaway,  and  Spies’  FFX  [2]  algorithm. 
The  designers  of  FFX  made  it  customizable  with  nine  alterable  parameters.  Certain 
parameter  collections  such  as  FFX-A2  and  FFX-AIO  were  specified  to  encipher  binary 
strings  of  8  to  128  bits,  and  decimal  strings  of  4  to  36  digits,  respectively  [2].  In  the 
original  algorithm,  the  user  could  choose  between  an  arbitrarily  unbalanced  or  alternating 
Feistel  structure.  The  NIST- specified  FFl  narrowed  the  scope  of  the  algorithm  to  use  10 
rounds  of  encryption  and  a  maximally-balanced  alternating-Feistel  structure. 

Pseudocode  of  the  FFl  encryption  algorithm  is  provided  in  Algorithm  1.  The 
parameters  radix,  minlen,  maxlen,  and  maxTlen  in  FFl. Encrypt  and  FFl. Decrypt  shall 
meet  the  following  requirements: 

•  radix  6  [2..2^^]; 

•  radix’^''^^^’^  >  100; 

•  minlen  >  2; 

•  maxlen  <  2^^; 

•  maxTlen  <  2^^. 

FPE  algorithms  can  encrypt  finite  character  strings  of  arbitrary  length  and  format. 
Each  character  or  symbol  in  the  character  string  may  be  from  an  arbitrary  set  of  symbols 
or  alphabet.  Radix  represents  the  number  of  characters  in  a  given  alphabet,  minlen  and 
maxlen  represent  the  number  of  symbols  or  length  of  a  character  string. 

The  EEl  algorithm  can  encrypt  alphabets  of  base  2  to  base  2^^.  The  character  string 
must  be  between  2  and  2^^  characters  in  length.  There  must  be  at  least  100  possible 
permutations  for  the  chosen  base  and  length.  The  EEl  algorithm  takes  a  tweak  in  addition 
to  the  secret  key.  The  tweak  is  an  input  parameter  to  the  encryption  and  decryption 
functions  whose  confidentiality  is  not  protected  by  the  mode.  It  serves  to  vary  the 
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Algorithm  1  FFl.Encrypt(K,T,X)  [10]. 

Prerequisites: 

Approved,  128-bit  block  cipher,  Cl  PH', 

Key,  K,  for  the  block  cipher; 

Base,  radix,  for  the  character  alphabet; 

Range  of  supported  message  lengths,  [minlen..maxlen]'. 

Maximum  byte  length  for  tweaks,  maxTlen. 

Inputs: 

Character  string,  X,  in  base  radix  of  length  n  such  that  n  6  [minlen..maxlen]; 

Tweak  T,  a  byte  string  of  byte  length  t,  such  that  t  6  {0..maxTlen\. 

Output: 

Character  string,  Y,  such  that  LEN(Y)  =  n. 

Steps: 

1:  Let  u  =  ln/2j  ',v  =  n  -  u. 

2:  Let  A  =  A[1..m];  B  =  A[m -I- l..n]. 

3:  Let  b  =  llvLOG2iradix)]  /S] ;  J  =  4  r^/4]  -i-  4. 

4;  LetP  =  [ly  II  [2]i  II  [l]i  II  [radix]^  ||  [10]^  ||  [u  mod  256]^  ||  [nf  II  [t]\ 

5;  for  /  0  to  9  do 

6:  Let  <2  =  r  II  II  II  [NUMradUB)f. 

7;  Let  R  =  PRFiP  II  Q). 

8;  Let  S  be  the  first  d  bytes  of  the  following  string  of  [2/16]  blocks: 

R  II  CIPHk{R  ©  [1]^^)  II  CIPHkiR  ©  [2]16)  ||  ..  ||  CIPHk{R  ©  [r^i?/161  -  1]^^). 
9:  Lety  =  Af/M2(5). 

10:  If  i  is  even,  let  m  =  u;  Else,  let  m  =  v. 

11:  Let  c  =  (NU Mradix(A)  +  y)  mod  radix’". 

12:  LetC  =  5rB-,,,(c). 

13:  LetA  =  B. 

14:  Let  B  =  C. 

15:  end  for 
16:  Return  A  ||  B. 
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ciphertext  for  plaintext  with  small  .  The  base  of  the  tweak  is  the  same  as  the 

radix.  The  maximum  length  of  the  tweak  is  2^^. 

The  ADS-B  message  is  represented  in  binary  and  has  a  radix  value  of  2.  The 
message  is  1 12  ehareter  strings  in  length  whieh  meets  the  requirements  of  FFl .  The 
tweak  used  is  also  required  to  be  in  base  2. 

2.6.2  FF2. 

The  FF2  algorithm  is  derived  from  VAES3  [65]  submitted  to  NIST  by  Joaehim 
Vanee.  The  FF2  algorithm  generates  a  subkey  for  the  bloekeipher  in  the  Feistel  round 
funetion,  whieh  ean  help  proteet  the  original  key  from  side-ehannel  analysis  [10].  FF2 
also  has  an  additional  parameter,  tweakradix,  for  the  ehoiee  of  the  base  for  tweak  strings. 

The  pseudoeode  for  the  FF2  eneryption  algorithms  is  provided  in  Algorithm  2. 

The  parameters  radix,  tweakradix,  minlen,  maxlen,  and  maxTlen  in  FF2.Enerypt  and 
EE2.Deerypt  shall  meet  the  following  requirements: 

•  radix  e  [2. .2^]; 

•  tweakradix  e  [2.. 2^]; 

•  radix'"^^‘‘^'^  >  100; 

•  minlen  >  2; 

•  maxlen  <  2  \  \20  j LOG2{radix)\  if  radix  is  a  power  of  2; 

•  maxlen  <  2  \_9%  j LOG2{radix)\  if  radix  is  not  a  power  of  2; 

•  maxTlen  <  1[\QA j LOG2{tweakradix)\. 

The  EE2  algorithm  ean  only  enerypt  eharaeter  strings  of  base  less  than  2^.  The 
tweakradix  must  meet  the  same  eonstraint.  There  must  be  at  least  100  possible 
permutations  for  the  ehosen  base  and  length.  Eor  the  ADS-B  message  with  radix  2  and 
tweakradix  2,  the  EE2  algorithm  is  limited  to  a  maximum  plaintext  length  of  240  and  a 
maximul  tweak  length  of  208.  The  ADS-B  message  fits  within  the  parameters  of  the  EE2 
algorithm. 
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Algorithm  2  FF2.Encrypt(K,T,X)  [10]. 

Prerequisites: 

Approved,  128-bit  block  cipher,  Cl  PH', 

Key,  K,  for  the  block  cipher; 

Base,  radix,  for  the  character  alphabet; 

Base,  tweakradix,  for  the  tweak  character  alphabet; 

Range  of  supported  message  lengths,  [minlen..maxlen]'. 

Maximum  supported  tweak  length,  maxTlen. 

Inputs: 

Numeral  string,  X,  in  base  radix  of  length  n  such  that  n  e  [minlen..maxlen]; 

Tweak  numerical  string,  T,  in  base  tweakradix  of  length  t  such  that  t  e  \0..maxTlen\. 

Output: 

Character  string,  Y,  such  that  LEN{Y)  =  n. 

Steps: 

1;  Let  u  =  Ln/2J  ',v  =  n  -  u. 

2:  Let  A  =  A[1..m];  B  =  A[m -I- l..n]. 

3:  If  t  >  0,B  =  [radixV  ||  [t]^  ||  [n^  ||  [NUM,„,akradi.(T)y^-, 

ElseP  =  [radixY  ||  [0]^  |i  [n]'  || 

4;  Let  J  =  CIPHk(P). 

5;  for  /  0  to  9  do 

6:  Let  Q^[i]^\\[NUM,adu(By^. 

7;  Let  Y  ^  CIPHj(Q). 

8:  Let  y  ^  NUMiiY). 

9;  If  i  is  even,  let  m  =  u;  Else,  let  m  =  v. 

10:  Let  c  =  (NU Mradix(A)  +  y)  mod  radix’". 

11:  LetC  =  5rB-,,,(c). 

12:  LetA  =  B. 

13:  Let  B  =  C. 

14:  end  for 
15:  Return  A  ||  B. 
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2.6.3  FF3. 


The  FF3  algorithm  is  equivalent  to  the  BPS-BC  component  of  BPS  [4],  instantiated 
with  a  128-bit  block  and  limited  to  tiny  and  small  space  messages  [10]. 

The  pseudocode  for  the  FF3  encryption  algorithm  is  provided  in  Algorithm  3.  The 
parameters  radix,  minlen,  and  maxlen  in  FF3. Encrypt  and  FF3. Decrypt  shall  meet  the 
following  requirements: 

•  radix  6  [2. .2^^]; 

•  radix’^^^^‘^'^  >  100; 

•  minlen  >  2; 

•  maxlen  <2yLOG radix{2!^^)\- 

The  FF3  algorithm  does  not  employ  a  tweak.  It  can  encrypt  alphabets  of  base  2  to 
base  2^^.  There  must  be  at  least  100  possible  permutations  for  the  chosen  base  and  length. 
The  character  string  must  be  between  2  and  2  ^OGradix(2'^^)\  characters  in  length.  For  an 
ADS-B  message  of  radix  2,  the  FF3  algorithm  is  limited  to  a  maximum  plaintext  length 
of  192  characters. 

2.7  Software  Validation 

In  related  research  [20],  Finke  tested  the  FFX-A2  encryption  algorithm  on  ADS-B 
data.  That  research  verified  the  merits  of  the  algorithm’s  diffusion  characteristics  vis-a-vis 
the  incrementally  changing  nature  of  ADS-B  traffic.  She  employed  Shannon’s  classical 
measure  of  entropy  to  evaluate  the  security  of  the  ciphertext. 

During  the  evaluation  of  candidates  for  the  Advanced  Encryption  Standard  in  1999, 
one  of  the  criteria  used  was  a  demonstrated  suitability  as  random  number  generators. 

That  is,  the  evaluation  of  their  output  utilizing  statistical  tests  should  not  provide  any 
means  by  which  to  computationally  distinguish  them  from  a  truly  random  source.  The 
statistical  tests  used  by  the  NIST  to  evaluate  the  candidates  were:  frequency  test,  block 


30 


Algorithm  3  FF3.Encrypt(K,T,X)  [10]. 

Prerequisites: 

Approved,  128-bit  block  cipher,  Cl  PH', 

Key,  K,  for  the  block  cipher; 

Base,  radix,  for  the  character  alphabet; 

Range  of  supported  message  lengths,  [minlen..maxlen],  such  that  minlen  >  2  and 

maxlen  <  2  logradix{^^^)\- 

Inputs: 

Numeral  string,  X,  in  base  radix  of  length  n  such  that  n  e  [minlen. .maxlen]; 

Tweak  bit  string,  T,  such  that  LEN{T)  =  64. 

Output: 

Character  string,  Y,  such  that  LEN(Y)  =  n. 

Steps: 

1:  Let  u  =  r^/2]  ;v  =  n  -  u. 

2:  Ye,iA=X[\..u\;B  =  X[u-\-\..n\. 

3:  Let  Ti  =  r[0..31]  and  Tr  =  r[32..63]; 

4;  for  /  0  to  7  do 

5;  If  is  even,  let  m  =  m  and  W  =  Tr,  Else  let  m  =  v  and  W  =  Tr. 

6:  Let  P  =  REV{[NUMradix{REV{B))]^^)  ||  IF  ©  REVi[i]^). 

7;  Let  Y  =  CIPHk(P). 

8;  Let  y  =  NUM2(REV(Y)). 

9:  Let  c  =  {NUMradix{REV(A))  +  y)  mod  radix’”. 

10:  LetC  =  REy(5rR-,Jc)). 

11:  LetA  =  B. 

12:  Let  B  =  C. 

13:  end  for 
14:  Return  A  ||  B. 

*  Where  REViX)  reverses  the  order  of  characters  in  the  character  string  X 
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frequency  test,  cumulative  sums  test,  runs  test,  long  runs  of  ones  test,  rank  test,  spectral 
test,  non-periodic  templates  test,  overlapping  template  test,  universal  statistical  test, 
random  excursion  test,  random  excursion  variant  test,  Lempel-Ziv  complexity  test,  linear 
complexity  test,  and  an  approximate  entropy  test  [58].  The  Rijndael  candidate  was 
selected  as  the  AES  algorithm,  and  performed  satisfactorily  on  all  the  tests. 

FPE  algorithms  are  modes  of  operation  of  the  underlying  block,  thus  EEl,  EE2, 
and  EES  benefit  from  the  statistical  characteristics  of  AES  [10,  48,  49]  such  as  entropy. 
Entropy  is  a  measure  of  unpredictability  or  information  content.  Shannon  entropy 
quantifies  the  expected  value  of  the  information  contained  in  a  message  and  is  typically 
measured  in  bits  per  byte  [63]. 

In  addition  to  security  considerations,  the  computational  performance  of  the 
candidate  algorithms  is  an  important  criterion.  Because  of  the  2Hz  frequency  of  ADS-B 
traffic,  it  is  important  that  the  encryption  mechanism  has  small  latency  in  order  to  meet 
timing  requirements.  In  measuring  the  performance  of  encryption  algorithms,  several 
performance  metrics  are  used:  encryption  time,  processing  time,  and  total  clock  cycles 
per  encryption  [23]. 

2.8  Hardware  Validation 

Stand-alone  ADS-B  receivers  are  available  for  aerial  enthusiasts  and  researchers 
to  experiment  with  ADS-B  equipment  outside  of  the  cockpit  of  an  aircraft.  There  exist 
commercial  grade  products  such  as  the  Kinetic  Avionics  SBS-3  dedicated  1090MHz 
receiver  [33],  open  source  Software-Defined  Radio  (SDR)  projects  such  as  the  gr- air- 
modes  GNU  radio  package  [21],  and  Do-It-Yourself  (DIY)  kits  such  as  Gunter  Kollner’s 
Mode  S  Beast  kit  [34].  The  Mode  S  Beast,  shown  in  Figure  2.10,  employs  an  FPGA  to 
decode  received  ADS-B  messages. 
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Figure  2.10:  Block  Diagram  of  Mode  S  Beast  Receiver  by  Gunter  Kollner  [34]. 


Complementarily,  researchers  have  demonstrated  tranceivers  designed  to  generate 
and  broadcast  spoofed  ADS-B  messages.  For  example,  an  SDR  application  developed 
by  Magazu,  creates  and  transmits  arbitrary  ADS-B  messages  [37].  This  application 
was  used  to  spoof  ADS-B  messages  using  Ettus  Research’s  Universal  Software  Radio 
Peripheral  (USRP)  device  and  the  GNU  Radio  API . 

A  cryptographic  engine  implementing  FFl,  FF2,  and  FF3  could  be  used  to  retrofit 
security  to  the  ADS-B  system  and  protect  the  NAS  from  potentially  malicious  use  of  the 
aforementioned  technologies.  In  order  for  such  a  cryptographic  engine  to  be  practical,  it 
should  integrate  seamlessly  into  the  existing  infrastructure  and  cause  no  adverse  changes 
in  performance. 
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2.8.1  Avionics  Requirements. 

The  term  ‘avionics’  is  a  portmanteau  of  the  words  ‘aviation’  and  ‘electronics.’ 

It  encompasses  the  electronic  systems  used  in  aircraft  to  control  communications, 
navigation  and  flight  management  systems.  The  FAA  maintains  technical  standards 
which  regulate  the  development  of  safety  and  mission-critical  avionics  equipment.  The 
RTCA/DO-254  [53]  standard  “Design  Assurance  Guidance  For  Airborne  Electronic 
Hardware’’,  regulates  hardware  and  firmware  engineering  of  avionic  systems.  DO-260A 
and  DO-260B  [55]  specify  “Minimum  Operational  Performance  Standards  for  1090  MHz 
Extended  Squitter  Automatic  Dependent  Surveillance  -  Broadcast  (ADS-B)  and  Traffic 
Information  Services  -  Broadcast  (TIS-B)’’  [17].  Among  these  standards  are  timing  and 
latency  requirements  for  the  ADS-B  transponder.  DO-260B  mandates  that  the  latency  of 
the  ADS-B  equipment  be  less  than  100ms  [55,  62]. 

The  use  of  EPGAs  has  been  expanding  from  its  traditional  role  in  prototyping  to 
mainstream  production.  Commercial  pressures  are  driving  this  change  with  the  intention 
of  reducing  design  cost  and  achieving  a  faster  time  to  market  [23].  Major  manufacturers 
of  avionic  systems  are  now  using  EPGAs  in  their  transponders  instead  of  custom  ASICs 
[61]. 

2.8.2  Performance. 

Another  criteria  the  NIST  used  to  evaluate  the  AES  candidate  algorithms  in  1999 
was  hardware  performance.  The  Rijndael  algorithm  was  selected  partly  because  it  proved 
to  be  one  of  the  fastest  and  most  efficient  algorithms,  and  was  easily  implemented  on 
a  wide  range  of  platforms  [39].  When  evaluating  the  speed  and  efficiency  of  a  given 
hardware  implementation,  the  throughput,  latency  and  hardware  resources  required  are 
considered  the  most  critical  parameters  [11]. 

A  number  of  different  architectures  can  be  considered  when  implementing  an 
encryption  algorithm  in  hardware  or  on  an  EPGA.  Iterative  Eooping  (IE)  is  where  only 
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one  round  is  designed,  hence  for  an  n-round  algorithm,  n  iterations  of  that  round  are 
carried  out  to  perform  an  encryption.  Loop  Unrolling  (LU)  involves  the  unrolling  of 
multiple  rounds.  Pipelining  (P)  is  achieved  by  replicating  the  round  and  placing  registers 
between  each  round  to  control  the  flow  of  data.  A  pipelined  architecture  generally 
provides  the  highest  throughput.  Sub-Pipelining  (SP)  is  carried  out  on  a  partially 
pipelined  design  when  the  round  is  complex.  It  decreases  the  pipeline’s  delay  between 
stages  but  increases  the  number  of  clock  cycles  required  to  perform  an  encryption 
[11,39]. 

2.9  Summary 

The  FAA’s  NextGen  will  provide  a  much  needed  upgrade  to  the  antiquated  ATC 
system.  The  ADS-B  system  will  provide  enhanced  surveillance  accuracy,  improve 
situational  awareness  for  ground  and  aircrew,  and  further  the  evolution  of  Air  Traffic 
Control  towards  Free  Flight.  Recent  advancements  in  the  field  of  cryptography  have 
provided  tools  to  encrypt  the  ADS-B  message,  and  help  improve  OPSEC  for  aircraft 
conducting  sensitive  operations.  The  NIST  has  recommended  three  algorithms  for 
use  as  Format- Preserving  modes  of  AES.  Using  the  information  gained  through  this 
literature  review,  the  EEl,  EE2  and  EES  algorithms  can  be  tested  for  use  within  the 
ADS-B  environment.  The  performance  of  each  algorithm  will  be  tested  in  software  and 
hardware,  with  representative  ADS-B  data. 
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III.  Methodology 


This  chapter  describes  the  experimental  design  and  methodology  used  to  test  the 
NIST  recommended  FPE  algorithms  for  use  within  the  ADS-B  environment. 

3.1  Experimental  Design 

The  goal  of  this  research  is  to  determine  the  suitability  of  the  FFl,  FF2,  and  FF3 
algorithms  for  encryption  of  ADS-B  messages,  with  regards  to  security  and  performance. 

To  attain  the  first  objective,  three  sets  of  experiments  are  designed  to  test  the 
hypothesis  suggested  by  the  algorithm  designers  and  NIST  in  [10],  that  the  algorithms 
inherit  the  strong  security  characteristics  of  the  underlying  block  cipher.  NIST  has 
not  released  details  of  its  internal  deliberations  and  performance  assessments  of  the 
algorithms.  As  such,  statistical  tests  are  conducted  to  determine  the  ability  of  the  FPE 
algorithms  to  provide  confusion  and  diffusion  to  plaintext,  and  output  a  ciphertext  that 
is  computationally  indistinguishable  from  a  random  process.  A  dataset  of  input  plaintext 
is  created  with  varying  levels  of  entropy,  and  is  independently  encrypted  with  the  FFl, 
FF2  and  FF3  algorithms.  The  algorithms  are  implemented  in  C  using  the  PolarSSF  AES 
library  [47]  and  the  resulting  ciphertext  is  measured  for  entropy. 

The  second  objective  of  this  research  is  to  evaluate  the  hardware  performance  of 
the  three  algorithms  by  measuring  the  operational  latency  and  resource  utilization  of 
an  FPGA  implementation.  The  algorithms  are  implemented  in  VHDF,  simulated  and 
synthesized  on  a  Virtex-6  FPGA  (XC6VFX240T)  device  using  the  Xilinx  ISE  14.6 
suite.  A  hardware-agnostic  design  is  used  in  order  to  mitigate  the  particular  effects  of 
the  Xilinx  CMOS  technology  and  FPGA  architecture.  Operational  latency  is  estimated 
by  the  number  of  clock  cycles  elapsed  between  the  input  of  a  plaintext  and  the  output  of 
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its  ciphertext.  Device  utilization  is  assesed  by  the  number  of  FPGA  components  used  to 
synthesize  the  algorithms. 

3.2  Evaluating  Entropy 

The  methodology  used  to  evaluate  the  security  characteristics  of  the  FFl,  FF2, 
and  FF3  algorithms  builds  on  research  conducted  on  the  FFX  algorithm  by  Finke 
[20].  Similar  to  Finke,  this  research  employs  randomized  experiments  to  allow  the 
greatest  reliability  in  the  statistical  measurements  of  entropy  and  validity  of  the  security 
analysis.  Table  3.1  lists  the  experiments  conducted.  One  set  of  experiments,  Fixed 
Bytes,  systematically  increases  the  number  and  distribution  of  deterministic  bytes  in  the 
unencrypted  ADS-B  message  and  evaluates  the  effect  of  these  factors  on  the  entropy 
of  the  resulting  ciphertext.  The  second  set  of  experiments.  Fixed  Fields,  evaluates 
the  effect  of  unchanging  data  in  various  ADS-B  message  fields  on  the  entropy  of  the 
encrypted  message.  Finally,  ADS-B  messages  extracted  from  the  radar  track  of  an  aircraft 
are  encrypted  with  the  FFl,  FF2  and  FF3  algorithms  and  the  resulting  ciphertexts  are 
evaluated. 

The  True  Random  Number  Generator  (TRNG)  service  provided  by  Random.org 
[51]  is  used  to  create  the  experimental  dataset  of  ADS-B  messages  with  varying  levels  of 
random  and  deterministic  data.  The  dataset  is  independently  encrypted  with  the  FFl,  FF2 
and  FF3  algorithms.  The  algorithms  are  implemented  in  C  and  tested  on  a  Dell  Precision 
T7500  machine  with  dual  core  Intel  Xeon  3.46  GHz  processors  and  48  GB  of  RAM. 

3.2.1  Software  Implementation. 

The  FFl,  FF2,  and  FF3  algorithms  are  implemented  as  described  in  [10].  All  three 
algorithms  require  a  NIST  approved  128-bit  block  cipher.  The  block  cipher  algorithm 
used  in  this  implementation  is  128-bit  AES.  The  block  cipher  serves  primarily  as  a 
subcomponent  for  the  Pseudo-Random  Function  (PRF) .  The  PRF  function  employs 
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Table  3.1:  Entropy  Experiments. 


Fixed  Bytes 

Fixed  Fields 

Radar  Track 

3  Front 

None 

WADS  track 

3  Random 

Position 

6  Front 

Position,  Altitude 

6  Random 

Position,  Altitude, 

9  Front 

Address 

9  Random 

Position,  Altitude, 

12  Front 

Address,  Type  Code 

12  Random 

All  Random 

a  block  chaining  mode  of  AES  to  generate  the  output  of  the  E-block,  as  shown  in 
Algorithm  4.  The  128-bit  key  ‘000102030405060708090a0h0c0J0e0/’  used  in  test 
vectors  published  by  NIST  in  [43],  is  employed  in  the  following  experiments.  The  tweak 
is  set  to  ‘88’  in  hexadecimal  or  ‘10001000’  in  binary,  the  standard  value  for  the  first  byte 
of  the  ADS-B  message  which  contains  values  for  the  DE  and  CA  fields. 

The  cryptography  community  discourages  use  of  unverified  implementations  of  AES. 
Thus,  PolarSSE,  a  vetted  open  source  library  used  by  the  Dutch  government  to  encrypt 
its  official  communications  [20],  is  used  in  the  software  implementation.  The  PolarSSE 
implementation  of  the  128-bit  Electronic  Codebook  (ECB)  variant  of  AES  is  validated 
through  comparison  with  test  vectors  published  in  NIST’s  Known- Answer  Test  [43]. 
While  there  are  many  AES  operating  modes,  the  ECB  variant  is  the  most  suitable  for 
EPE  [10].  PolarSSE  is  implemented  in  the  C  language  and  partly  motivates  the  use  of  C 
throughout  the  research.  The  C  programming  language  offers  low-level  data  manipulation 
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Algorithm  4  PRF(X)  [10]. 

Prerequisites: 

Approved,  128-bit  block  cipher,  Cl  PH', 

Key,  K,  for  the  block  cipher; 

Input: 

Nonempty  bit  string,  X,  such  that  LENiX)  is  a  multiple  of  128. 

Output: 

Block,  Y 

Steps: 

1:  Letm  =  LEN(X)/12S. 

2:  Partition  X  into  m  blocks  Xi, ....,  X^,  so  that  A  =  |i  ...  ||  X^  and  LEN{Xi)\2%  for  all 
i  from  1  to  m. 

3;  Let  Yq  =  0^^^,  and  for  j  from  1  to  m  let  Y j  =  C1PHk{Y j_i  ©  Xj). 

4:  Return  Y^. 


and  rapid  implementation  of  complex  mathematical  operations.  However,  it  is  limited  to 
the  byte  as  its  lowest  level  of  data  granularity. 

3.2.2  Limitations  and  Assumptions. 

The  ADS-B  message  format  is  1 12  bits,  of  which  the  first  5  bits  or  the  Downlink 
Format  (DF)  field,  signal  the  message  type.  The  DF  data  field  must  be  left  unencrypted 
in  order  for  the  receiver  to  properly  decode  the  message  [31].  The  remaining  107  bits 
are  available  for  encryption,  but  the  non-standard  message  width  is  incompatible  with  the 
primitive  data  types  of  C. 

Pilot  experiments  attempted  to  construct  data  structures  in  C  to  efficiently  store 
the  107  bits.  The  underlying  language  structure  relies  on  byte  alignment  for  CPU 
optimization,  and  thus,  pads  all  data  types  to  an  even  byte  width.  Given  these  limitations, 
this  research  adheres  to  the  methodology  established  by  Finke  in  [20],  and  encrypts  only 
104  of  the  107  encrypt-able  bits  of  the  ADS-B  message  as  shown  in  Figure  3.1.  The  104- 
bit  message  width  allows  for  a  balanced  Feistel  structure,  and  can  be  split  into  balanced 
halves. 
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Figure  3.1:  Encrypt-able  ADS-B  fields  [20]. 


The  resulting  ADS-B  ciphertext  leaves  unencrypted  the  DF  and  Capability  (CA) 
fields.  The  DF  field  determines  which  type  of  message  ensues  -  DF19  or  DF17.  DF19 
is  reserved  for  military  use;  however,  no  specifications  have  been  standardized  for  the 
ensuing  message  and  it  is  not  currently  used  in  fielded  systems  [62].  The  DF17  message 
type  is  exclusively  considered  because  of  its  prevalence  in  GA  and  commercial  aviation. 
The  CA  field  indicates  the  ability  of  the  emitting  transceiver  to  transmit  on  the  ground  or 
airborne,  and  whether  an  emergency  or  priority  alert  is  active.  Of  the  five  available  CA 
codes,  code  ‘5’  is  used  indicate  an  airborne  aircraft  with  full  communications  capability 
[55] 

The  104-bit  encrypted  portion  of  the  message  contains  the  Aircraft  Address  (AA), 
Message  Extended  Squitter  (ME),  and  Parity/Interrogator  Identity  (PI)  fields.  The  AA 
field  contains  the  24  bit  ICAO  address  of  the  aircraft.  The  ME  field  contains  the  56  bit 
Extended  Squitter  (ES)  message  and  reports  information  such  as  aircraft  position,  altitude, 
and  velocity  in  subfields.  The  PI  field  provides  data  integrity  by  calculating  a  Cyclic 
Redundancy  Check  (CRC)  code  based  on  the  value  of  the  preceding  fields  [37].  The 
message  content  is  designed  to  have  varying  levels  of  deterministic  data,  resulting  in 
varying  levels  of  plaintext  entropy. 
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3.2.3  Dataset. 


The  experimental  dataset  is  generated  using  data  from  the  Random.org  TRNG  [51] 
service.  Unlike  pseudo-random  number  generators  which  use  mathematical  formulae  to 
generate  sequences  of  numbers  that  appear  random,  TRNGs  extract  randomness  from 
physical  phenomena  [51].  Random.org  generates  randomness  by  measuring  atmospheric 
noise  and  produces  each  day  one  mebibyte  (2^°  bytes)  of  raw  random  data.  This  data 
is  made  available  to  scientists  and  researchers  through  their  website.  The  random  file 
of  2013-09-17  was  downloaded  and  used  to  generate  the  non-deterministic  parts  of  the 
plaintext  dataset.  The  dataset  contains  data  for  fourteen  scenarios,  replicated  for  20  trials. 
The  plaintext  file  for  each  trial  of  a  scenario  uses  a  unique  deterministic  byte  sequence 
replicated  in  4,000  ADS-B  message  strings.  In  addition  to  the  generated  dataset,  8,866 
ADS-B  messages  are  extracted  from  an  observed  aircraft  track.  In  total,  the  experimental 
dataset  contains  1,128,866  unique  ADS-B  messages.  The  goal  of  these  experiments  is  to 
measure  the  ability  of  FPE  encryption  algorithms  to  obfuscate  ADS-B  messages  within  a 
representative  operational  environment. 

3. 2.3.1  Fixed  Bytes. 

Consecutive  ADS-B  messages  transmitted  by  a  transiting  aircraft  contain  instances  of 
repeated  data  since  coordinates  of  the  aircraft  do  not  drastically  change  from  one  message 
to  the  next.  Certain  data  fields  such  as  the  Aircraft  Address  and  Type  Code  (TC)  fields 
may  remain  constant  throughout  the  duration  of  a  flight.  The  first  set  of  experiments  in 
this  research  evaluates  the  ability  of  the  FPE  algorithms  to  obfuscate  arbitrary  sequences 
of  repeated  data. 

In  1999,  NIST  tested  the  ability  of  candidate  algorithms  for  AES  to  encrypt  a 
plaintext  avalanche  constituting  of  various  sequences  of  random  and  fixed  plaintext  bits 
[58].  Given  the  software  limitations,  this  research  tests  the  ability  of  the  FPE  algorithms 
to  encrypt  a  plaintext  avalanche  consisting  of  various  sequences  of  random  and  fixed 


41 


plaintext  bytes.  Regardless  of  the  coarser  granularity,  the  fixed  bytes  methodology 
provides  the  desired  variation  in  plaintext  entropy  and  has  been  employed  in  research 
published  in  a  peer-reviewed  journal  [19].  The  Fixed  Bytes  experiment  studies  the  effect 
of  repetitive  and  thus  predictable  input  data  on  the  entropy  of  the  ciphertext. 

There  are  two  factors  in  this  experiment:  the  number  of  deterministic  bytes  and 
the  distribution  of  deterministic  bytes  as  shown  in  Table  3.2.  There  are  four  levels  for 
the  first  factor  and  two  levels  for  the  second.  A  full  factorial  experimental  design  yields 
eight  scenarios.  The  dataset  contains  plaintext  for  eight  scenarios  in  which  3,  6,  9,  and  12 
bytes  of  the  total  13-byte  message  are  held  constant  at  the  front  or  dispersed  randomly 
throughout  the  message.  The  plaintext  file  for  each  scenario  contains  4000  samples. 

The  deterministic  part  of  the  sample  ADS-B  message  replicates  the  same  byte  sequence 
throughout  each  scenario;  however,  the  non-deterministic  part  of  each  message  is  a 
unique  random  sequence  extracted  from  the  2013-09-17  TRNG  file.  Measurements  are 
taken  on  the  input  plaintext  and  output  ciphertext  files  for  each  scenario.  The  experiment 
is  replicated  20  times,  consistent  with  previous  research  on  FFX  [20].  Note  that  the 
dataset  for  each  trial  uses  different  deterministic  and  non-deterministic  byte  sequences. 


Table  3.2:  Fixed  Bytes  Levels  and  Factors. 


Factor 

Levels 

Number  of  Deterministic  Bytes 

3  Bytes 

6  Bytes  9  Bytes  12  Bytes 

Distribution  of  Deterministic  Bytes 

Front 

Random 

For  example,  the  ‘3  Front’  scenario  shown  in  the  left  quadrant  of  Figure  3.2, 
indicates  that  the  first  three  bytes  are  the  same  for  each  sample  message.  The  ‘3  Random’ 
scenario  indicates  that  the  three  deterministic  bytes  are  randomly  dispersed  throughout  the 
sample  message. 
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Figure  3.2:  Sample  Plaintext  from  the  Fixed  Bytes  ‘3  Front’  and  ‘3  Random’  Seenarios. 


The  other  six  seenarios  follow  a  similar  design.  The  4,000  messages  in  eaeh  seenario 
repeat  the  same  deterministie  sequenee;  however,  every  seenario  of  the  trial  uses  a  unique 
deterministie  byte  sequence.  The  non-deterministic  bytes  of  the  sample  message  are 
composed  of  random  data  extracted  from  the  Random.org  sequence  of  2013-09-17.  Each 
trial  employs  new  byte  sequences  in  order  to  insure  statistical  independence. 

3.23.2  Fixed  Fields. 

The  Fixed  Fields  experiment  evaluates  the  ability  of  the  encryption  algorithm  to 
obfuscate  ADS-B  messages  with  constant  values  in  certain  fields.  In  this  experiment,  the 
values  of  the  Position,  Altitude,  Address,  and  Type  Code  bits  are  incrementally  fixed  to 
reduce  entropy  in  the  input  message.  In  flight,  these  values  are  often  constant  or  slow  to 
change  in  messages  broadcast  by  aircraft. 

Furthermore,  the  dataset  is  restricted  to  contain  ADS-B  messages  with  realistic  data 
in  the  ME  subfields  shown  in  Figure  3.3.  In  addition  to  plausible  ME  data,  the  PI  field 
contains  a  valid  CRC  value.  Eor  calculating  the  CRC,  the  DP  field  is  set  to  ‘10001’  in 
binary  or  ‘17’  in  decimal  to  indicate  a  DP17  ES  message.  The  CA  field  is  set  to  ‘101’ 
in  binary  or  ‘5’  in  decimal  to  indicate  a  transponder  with  “at  least  Comm-A  and  Comm- 
B  capability,  ability  to  set  code  7,  airborne”  [55].  These  parameters  serve  to  reduce  the 
message  space  to  a  subset  representative  of  the  ADS-B  operating  environment  [20]. 

•  Altitude 

The  altitude  component  of  the  ME  field  consists  of  12  bits.  The  fist  1 1  bits  are  used 
to  represent  the  altitude’s  numerical  value  and  the  final  bit  indicates  whether  the 
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[  TC  ]  [  S  ]  [  Altitude  ]  T  F  [  Latitude  ]  [  Longitude  ] 
00000  000  000000000000  0  0  00000000000000000  00000000000000000 

Figure  3.3:  Structure  of  Message  Extended  Squitter  (ME)  fields  [37]. 


value  is  expressed  in  25  or  100  foot  increments  [37].  In  the  decoding  process,  an 
additional  1000  feet  are  added  to  the  indicated  altitude.  Therefore,  this  encoding 
may  represent  an  altitude  as  high  as  205,800  feet  which  is  beyond  the  operating 
limit  of  most  aircraft.  The  dataset  for  the  fixed  fields  test  is  limited  to  represent 
altitudes  commonly  used  by  commercial  and  high  performance  aircraft.  The  20,000 
foot  window  between  ELI  80  and  EE380  is  the  standard  for  aircraft  operating  in 
the  NAS.  The  value  of  the  altitude  field  of  messages  in  the  fixed  fields  dataset  is 
restricted  to  one  of  800  values  between  18,000  feet  and  38,000  feet. 

•  Position 

The  geographical  position  constitutes  34  bits  of  the  ME  field  and  is  represented 
using  the  Compact  Position  Reporting  (CPR)  encoding.  CPR  was  developed  for 
ADS-B  messages  broadcast  on  the  1090  MHz  Extended  Squitter  (ES)  datalink  to 
reduce  the  number  of  bits  required  to  convey  participant  latitude  and  longitude 
while  maintaining  an  accuracy  threshold  of  5.1  meters.  The  circumference  of  the 
earth  is  approximately  40,000  kilometers  and  (40, 000,  OOOm/5. Im)  «  7,  800, 000 
discrete  position  values.  Note  that  7,800,000  position  values  would  require  23  bits 
for  the  longitudinal  coordinate  but  CPR  is  able  to  convey  position  with  17  bits 
each  for  latitude  and  longitude,  and  1  format  bit .  In  the  CPR  coordinate  system, 
the  globe  is  divided  into  zones.  Eatitude  zones  start  at  the  equator  and  go  to  both 
poles.  Eongitude  zones  start  at  the  Prime  Meridian  and  proceed  eastward  around 
the  globe.  Eatitude  and  longitude  zones  are  then  divided  into  bins  of  approximately 
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5.1  meters  in  width.  Every  point  on  the  globe  is  identified  in  the  CPR  coordinate 
system  with  a  latitude  zone  index,  latitude  bin  number,  longitude  zone  index, 
longitude  bin  number  and  CPR  format  (even  or  odd  zone  size).  This  identification 
number  is  expressed  as  a  17  bit  sequence.  A  more  detailed  explanation  can  be 
found  in  [54]. 

Messages  received  by  a  transceiver  necessarily  portray  a  location  within  its  range 
of  reception.  According  to  [17],  ADS-B  transceivers  are  required  to  provide 
a  range  of  120NM,  and  so  transmissions  decoded  by  a  receiver  often  originate 
within  a  120NM  radius  of  its  position.  The  Latitude  and  Longitude  ME  values  are 
constrained  to  position  coordinates  that  fit  within  an  area  of  \20NM^. 

•  Type  Code 

The  Type  Code  field  consists  of  the  first  5  bits  of  the  ME  field,  and  indicates  the 
type  of  message  that  follows.  This  research  focuses  solely  on  airborne  position 
reports  for  which  there  are  only  14  associate  type  code  values  (0,  9-18,  20-22) 

[20,  55].  One  of  these  values  is  randomly  selected  for  each  simulated  ADS-B 
message. 

•  Parity/Identity  Eield 

The  PI  field  is  calculated  as  a  Cyclic  Redundancy  Check  (CRC)  using  the  preceding 
88  bits  and  the  polynomial  shown  in  Equation  (3.1)  [37]. 

G{x)  =  \  +  +  +  +  +  +  x^''  +  +x^'^  +  +  +  + 

(3.1) 


3. 2.3. 3  Radar  Track. 

The  final  test  uses  ADS-B  messages  generated  from  real  aircraft  traffic.  An  aircraft 
radar  track  observed  by  the  Western  Air  Defense  Sector  (WADS)  was  used  to  create  this 
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dataset.  The  WADS  continually  monitors  the  NAS  to  ensure  air  sovereignty  and  strategic 
air  defense.  As  shown  in  Figure  3.4,  the  aircraft  took  off  from  Oakland,  CA  and  travelled 
eastward  towards  Nebraska.  The  provided  track  includes  altitude  and  position  information 
from  overlapping  radars  with  1  to  7  seconds  between  data  points. 

The  radar  coordinates  were  transformed  into  ADS-B  messages  in  [20]  using 
code  from  [37].  The  DF  and  CA  fields  are  held  constant  similar  to  the  Fixed  Fields 
dataset.  The  generated  plaintext  file  contains  8,866  unique  messages.  Given  the  aircraft’s 
continuous  movement,  the  geographical  position  varies  with  each  message;  however, 
the  altitude  changes  little  due  to  extended  cruise  periods  at  33,000  and  35,000  feet.  This 
dataset  relies  on  the  predictability  of  the  aircraft  trajectory  to  control  the  message  variance 
factor  instead  of  arbitrary  mixtures  of  deterministic  and  random  data. 


Figure  3.4:  Plot  of  WADS  Radar  track  [20]. 
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3.2.4  Measurements. 


When  an  adversary  eavesdrops  on  seeure  communication,  the  encrypted  information 
should  appear  random.  In  cryptography,  there  exist  several  definitions  of  security:  perfect 
security,  semantic  security,  and  entropic  security  [6,  63].  An  encryption  algorithm  is 
perfectly  secure  if  a  ciphertext  produced  using  it  reveals  no  information  at  all  about  the 
plaintext.  That  is,  the  encryption  cannot  be  broken  even  when  the  adversary  has  unlimited 
time  and  computational  power.  An  example  of  such  a  cryptanalytically  unbreakable 
cryptosystem  is  the  one-time  pad.  This  theoretical  level  of  security  is  infeasible  to 
achieve  in  practice  because  it  requires  a  key  as  long  as  the  total  length  of  all  messages 
that  are  going  to  be  encrypted  [63].  On  the  other  hand,  semantic  security  implies  that 
any  information  revealed  about  the  plaintext  cannot  be  feasibly  extracted.  That  is,  any 
probabilistic,  polynomial- time  algorithm  (PPTA)  that  is  given  the  ciphertext,  and  the 
message  length,  cannot  determine  any  partial  information  on  the  message  with  non- 
negligible  probability.  However,  deterministic  encryption  algorithms  such  as  AES  or  FPE 
can  never  be  semantically  secure  [63].  Entropic  security  is  a  weaker  definition  of  security 
which  relaxes  the  definition  to  a  level  where  the  ciphertext  has  substantial  entropy.  The 
definition  of  substantial  entropy  is  context-dependent.  Nevertheless,  random  sequences 
and  sequences  generated  by  pseudorandom  functions  are  considered  to  have  high  entropy 
[51,  63].  During  the  evaluation  of  candidates  for  the  Advanced  Encryption  Standard 
in  1999,  one  of  the  criteria  used  was  a  demonstrated  suitability  as  a  random  number 
generator  [58].  Therefore,  this  research  assesses  the  security  of  the  FPE  encryption 
algorithms  by  comparison  to  a  random  sequence. 

3.2.4. 1  Shannon  Entropy. 

Entropy  is  a  measure  of  unpredictability  or  information  content.  It  measures  both  the 
amount  of  uncertainty  in  a  distribution  before  sampling  and  the  amount  of  information 
obtained  by  sampling.  This  research  uses  entropy  as  a  measurement  of  the  amount  of 
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information  that  can  be  gleaned  from  the  encrypted  ADS-B  message.  The  entropy  H{X) 
of  a  variable  or  distribution  is  defined  in  Equation  (3.2)  [63]. 


H{X)  =  -^  p(x)log2p(x)  (3.2) 

xeX 

Theoretically,  a  random  sequence  has  perfect  entropy  because  its  components  are 
independent.  In  practice,  a  pseudorandom  sequence  generated  by  a  cryptographically 
secure  PseudoRandom  Number  Generator  (PRNG)  has  substantial  but  not  perfect 
entropy.  The  higher  the  entropy  of  a  sequence,  the  harder  it  is  to  obtain  information  about 
the  nature  of  its  content.  A  ciphertext  produced  by  the  FFl,  FF2,  or  FF3  algorithm  is 
considered  to  have  high  entropic  security,  if  its  measure  of  entropy  equals  or  exceeds  that 
of  a  random  sequence.  The  entropy  of  the  encrypted  ADS-B  message  is  compared  to  the 
entropy  of  an  All  Random  sequence  of  the  same  length  extracted  from  the  2013-09-17 
TRNG  file. 

3.2.4.2  ENT  Tool 

The  ENT  tool  [66]  developed  by  John  Walker  at  FourmiFab,  provides  measurements 
of  entropy.  The  program  applies  various  statistical  tests  to  sequences  of  bytes  stored  in 
files  and  reports  the  data’s  aggregate  entropy  in  bits  per  byte  (bits/byte).  The  program 
is  useful  for  evaluating  pseudorandom  number  generators  for  encryption  and  other 
applications  where  the  information  density  of  a  file  is  of  interest.  As  such,  this  research 
uses  the  ENT  tool  to  measure  entropy  statistics  of  each  trial  for  every  scenario  in  order 
to  evaluate  the  pseudo-random  characteristics  of  the  FPE  algorithms  as  suggested  by 
[41,48,49]. 

3.3  Evaluating  Performance 

In  1999,  NIST  also  used  hardware  performance  as  a  primary  criterion  for  evaluating 
the  AES  candidate  algorithms.  The  Rijndael  algorithm  was  selected  partly  because  it 
proved  to  be  one  of  the  fastest  and  most  efficient  algorithms,  and  was  easily  implemented 
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on  a  wide  range  of  platforms  [11].  A  number  of  different  architectures  can  be  considered 
when  implementing  an  encryption  algorithm  in  hardware  or  on  a  Field  Programmable 
Gate  Array  (FPGA).  This  research  employs  a  Pipelined  implementation  of  128-bit  AES 
and  an  Iterative  Looping  (IL)  architecture  for  the  Feistel  structure  of  FPL. 

3.3.1  Hardware  Implementation. 

The  implementation  of  the  underlying  AES  cipher  follows  a  pipelined  architecture. 

A  pipelined  architecture  provides  distinct  hardware  for  every  stage  of  AES  with  specific 
registers  between  each  stage.  This  allows  the  system  to  produce  one  ciphertext  every 
clock  cycle  in  steady  state  for  a  high  throughput  rate,  but  utilizes  considerable  hardware 
resources.  AES  is  a  complex  algorithm  and  improper  implementation  can  cause  serious 
security  vulnerabilities.  This  research  makes  use  of  an  AES  core  that  was  tested  and 
verified  in  [35].  The  core  was  designed  by  Pranav  Patel  and  is  copyrighted  to  AEIT. 
Table  3.3  shows  the  performance  characteristics  of  the  AES  core,  benchmarked  on  the 
Xilinx  Virtex-6  EPGA.  These  size  and  speed  measurements  are  used  as  a  baseline  for 
comparison  of  EEl,  EE2,  and  EE3.  The  high  throughput  of  the  pipelined  core  exceeds 
the  requirements  for  the  2Hz  data  rate  of  ADS-B  messages,  which  ensures  that  the  only 
factors  affecting  the  operational  latency  of  the  design  are  its  maximum  frequency  and  the 
number  of  clock  cycles  per  encryption. 

The  EPE  algorithms  are  implemented  according  to  an  Iterative  Looping  architecture. 
The  IL  architecture  reuses  hardware  resources  at  the  cost  of  overall  throughput. 
Throughput  is  the  average  rate  of  data  through  a  node  [39].  Eor  use  within  the  ADS-B 
environment,  the  throughput  of  the  cryptographic  core  must  be  higher  than  the  2  Hz 
message  rate.  The  low  data  rate  of  ADS-B  does  not  require  an  architecture  optimized  for 
throughput.  As  such,  only  one  round  of  the  algorithm  is  implemented  and  control  logic  is 
used  to  manage  data  flow  for  a  complete  encryption  cycle,  as  shown  in  Eigure  3.5.  A  new 
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Table  3.3:  Performance  of  AES  Core. 


Algorithm 

AES 

Number  of  occupied  Slices 

1,864 

Number  of  Slice  Registers 

5,801 

Number  of  Slice  LUTs 

3,452 

Number  of  18K  block  RAMs 

172 

Maximum  Frequency  (MFIz) 

336.315 

Clock  Cycles  per  Round 

3 

Clock  Cycles  per  Encryption 

31 

round  does  not  begin  until  after  data  for  the  previous  round  has  traversed  the  entire  FPE 
Round  block. 


Round  number 
AES  key,  Tweak 


Figure  3.5:  Illustration  of  the  Iterative  Eooping  Implementatin  of  FPE. 


jr _ ^ 

Round 

Control 


FPE  Round 


The  pseudocode  description  provided  by  NIST  is  primarily  intended  for  implemen¬ 
tation  in  software.  Certain  operations  in  the  pseudocode  depend  on  previous  ones,  which 


50 


requires  carefully  synchronized  logic  when  implemented  in  hardware.  Each  algorithm’s 
pseudocode  is  expanded  to  identify  parallelizable  modules  and  blocks  that  can  be  im¬ 
plemented  with  combinational  logic.  Function  calls  to  AES  or  PRF  within  the  F-block 
of  each  round  must  be  synchronized  to  ensure  that  the  output  of  one  block  is  valid  when 
passed  to  the  next  AES  block.  In  this  implementation,  a  shift  register  is  used  to  delay  the 
start  signal  of  the  cascaded  AES  block  until  the  number  of  clock  cycles  required  by  the 
first  block  has  expired. 

3.3.2  Performance  Metrics. 

The  FFl,  FF2,  and  FF3  algorithms  are  coded  in  VHDE,  simulated,  Placed  and 
Routed  (PAR),  and  synthesized  on  a  Virtex-6  (XC6VEX240T)  device  using  the  Xilinx 
ISE  14.6  design  suite.  To  facilitate  comparison  with  the  software  implementations,  the 
hardware  implementations  are  designed  to  process  104-bit  messages.  No  FPGA  device¬ 
specific  features,  such  as  the  Virtex-6’s  DSP48E1  Digital  Signal  Processing  slice,  are 
used  that  would  prevent  an  equivalent  implementation  on  a  different  brand  or  model 
FPGA.  Behavioral  simulation  tests,  Post-PAR  static  timing  analysis  and  device  utilization 
analysis  are  performed  on  each  design. 

The  device  utilization  analysis  provides  the  following  metrics:  Number  of  Slice 
Registers,  Number  of  Slice  EUTs,  Number  of  occupied  Slices,  and  Number  of  18Kb 
block  RAMs.  Slices  are  the  basic  building  block  components  in  the  Xilinx  FPGA 
fabric.  Each  slice  contains  four  Eook-Up  Tables  (EUTs)  which  are  used  to  implement 
combinatorial  logic  such  as  AND  gates,  OR  gates  and  other  boolean  functions.  In 
addition  to  EUTs,  slices  also  contain  eight  flip-flop  registers  which  hold  state  and  are  used 
to  implement  sequential  logic.  In  the  device  utilization  report,  any  slice  that  is  used  even 
partially  is  counted  towards  the  number  of  occupied  Slices.  A  design  may  be  fit  into  fewer 
slices  if  necessary,  but  mapping  unrelated  logic  into  the  same  slice  may  limit  the  ability  of 
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the  placer  to  meet  timing  constraints  [68].  The  Virtex-6  provides  18Kb  and  36Kb  blocks 
of  RAM  that  may  be  used  to  store  data. 

The  Post-PAR  static  timing  analysis  provides  the  Maximum  Frequency  (MHz) 
metric.  The  maximum  frequency  is  based  on  the  worst  path  delay  found  during  synthesis, 
and  indicates  the  fastest  frequency  at  which  a  signal  may  be  toggled  given  this  constraint. 

A  behavioral  simulation  test  is  conducted  using  the  Xilinx  ISE  Simulator  (ISIM). 

The  results  of  a  behavioral  simulation  can  be  replicated  on  any  simulation  tool  by  using 
the  same  test  bench.  The  stimuli  used  in  the  test  bench  are  a  50  MHz  clock,  and  sample 
plaintext  ADS-B  messages  taken  from  the  entropy  dataset.  The  operational  latency 
of  each  algorithm  is  measured  by  monitoring  input  ready  and  output  ready  signals  in 
the  simulation  waveforms.  The  number  of  clock  cycles  elapsed  between  the  input  of  a 
plaintext  and  the  output  of  its  ciphertext  is  counted  in  the  waveform.  The  numbers  of 
clock  cycles  required  for  the  completion  of  one  round  and  for  a  complete  encryption  cycle 
are  reported. 

3.4  Cryptographic  Engine 

The  Bump-in-the-Wire  cryptographic  engine  intercepts  the  unencrypted  ADS-B  Out 
message  at  the  output  of  the  transponder  and  encrypts  it  before  transmission.  Figure  3.6 
and  Figure  3.7  show  a  block  diagram  of  the  ADS-B  system  without  and  with  the  proposed 
encryption  engine,  respectively.  Such  a  design  requires  minimal  redesign  and  can  be 
retrofitted  to  existing  transponders.  The  cryptographic  engine  also  detects  and  decrypts 
encrypted  ADS-B  In  messages  between  the  antenna  and  the  legacy  transponder. 

3.5  Summary 

This  research  evaluates  the  security  and  hardware  performance  profiles  of  the  NIST 
recommended  FPE  algorithms.  The  ability  of  the  algorithms  to  obfuscate  messages 
is  tested  with  three  experimental  datasets.  The  experimental  datasets  are  designed  to 
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Figure  3.6:  Block  Diagram  of  ADS-B  avionics  [62]. 
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Figure  3.7:  Block  Diagram  of  Secure  ADS-B  avionics.  Modified  from  [62]. 


challenge  the  algorithm’s  ability  to  obfuscate  repeated  data  in  messages.  The  entropies 
of  the  plaintext  and  resulting  ciphertext  are  measured  after  encryption  with  the  FFl,  FF2, 
and  FF3  algorithms.  The  ciphertext  is  considered  to  have  high  entropic  security,  if  its 
measure  of  entropy  equals  or  exceeds  that  of  a  random  sequence.  After  verification  of  the 
security  characteristics  of  the  algorithms,  they  are  implemented  on  an  FPGA  to  test  their 
hardware  performance.  Operational  latency  and  resource  utilization  are  measured  for  each 
algorithm.  The  latency  and  resource  utilization  of  the  underlying  AES  core  are  used  as  a 
baseline  for  comparison  of  FFl,  FF2,  and  FF3.  A  BITW  FPE  cryptographic  engine  placed 
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between  the  ADS-B  transponder  and  antenna  could  encrypt  and  decrypt  messages  deemed 
sensitive  for  enhanced  Operational  Security. 
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IV.  Results  and  Analysis 


This  chapter  discusses  the  security  and  performance  of  the  FFl,  FF2  and  FF3 

algorithms  in  software  and  hardware.  Experiments  were  conducted  to  test  the 
hypothesis  that  the  FPE  algorithms  inherit  the  strong  security  of  the  underlying  AES 
block  cipher  and  meet  the  avionics  performance  requirements  of  D0-260b.  Results  of  the 
entropy  and  performance  experiments  are  presented  below.  The  chapter  concludes  with  an 
analyis  of  the  data. 

4.1  Entropy  Results 

The  algorithms  are  implemented  in  C  using  the  PolarSSE  AES  library.  The  dataset 
is  encrypted  with  each  algorithm  and  the  resulting  ciphertexts  are  stored.  The  ENT  tool 
[66]  is  used  to  calculate  the  entropy  of  the  input  plaintext  samples  and  their  corresponding 
ciphertext. 

4.1.1  Verification  of  Software  Implementation  . 

Since  EEl,  EE2,  and  EES  are  new  algorithms,  there  exist  no  Known- Answer  Tests 
or  vetted  implementations.  The  implementation  is  verified  through  decryption.  While 
implementing  the  decryption  process,  errors  were  discovered  in  the  decryption  algorithms 
published  in  the  Draft  Special  Publication  800-38G.  The  decryption  algorithms  printed 
in  Draft  SP800-38G  did  not  properly  reverse  the  Eeistel  structure  of  EPE.  One  of  the 
three  erroneous  decryption  algorithms  is  shown  in  Algorithm  5.  The  NIST  was  contacted 
regarding  the  errors.  Morris  Dworkin,  author  of  SP800-38G,  approved  the  suggested 
corrections  [9],  and  plans  to  revise  the  three  decryption  specifications  in  the  next  release. 

A  proper  decryption  algorithm  for  EPE  should  reverse  the  Eeistel  structure  as  shown 
in  Eigure  4.1.  The  appropriate  decryption  algorithms  are  designed  by  reverse  engineering 
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Algorithm  5  Erroneous  FFl.Decrypt(K,T,X)  [10]. 

Prerequisites: 

Approved,  128-bit  block  cipher,  Cl  PH', 

Key,  K,  for  the  block  cipher; 

Base,  radix,  for  the  character  alphabet; 

Range  of  supported  message  lengths,  [minlen..maxlen]'. 

Maximum  byte  length  for  tweaks,  maxTlen. 

Inputs: 

Numeral  string,  X,  in  base  radix  of  length  n  such  that  n  6  [minlen..maxlen]; 

Tweak  byte  string,  T,  of  byte  length  t,  such  that  t  e  \0..maxTlen\. 

Output: 

Numeral  string,  Y,  such  that  LENiY)  =  n. 

Steps: 

1:  Fet  u  =  Ln/2J  ',v  =  n  -  u. 

2:  Fet  A  =  A[1..m];  B  =  A[m -I- l..n]. 

3:  Fet  b  =  llvLOG2iradix)]  /S] ;  J  =  4  r^/4]  -i-  4. 

4;  FetP  =  [1]^  II  [2]i  II  [l]i  II  [radix]^  ||  [10]^  ||  [u  mod  256]^  ||  [nf  II  [t]\ 

5;  for  /  9  to  0  do 

6:  Fet  <2  =  r  II  II  II  [NUMradUB)f. 

7;  Let  R  =  PRFiPW  Q). 

8;  Fet  S  be  the  first  d  bytes  of  the  following  string  of  [2/16]  blocks: 

R  II  CIPHk{R  ©  [1]^^)  II  CIPHkiR  ©  [2]16)  ||  ..  ||  CIPHk{R  ©  [r^i?/161  -  1]^^). 
9:  Lety  =  NUM2{S). 

10:  If  i  is  even,  let  m  =  u;  Else,  let  m  =  v. 

11:  Fet  c  =  (NU Mradix(A)  -  y)  mod  radix’". 

12:  FetC  =  5rB-,,,(c). 

13:  FetA  =  B. 

14:  Fet  B  =  C. 

15:  end  for 
16:  Return  A  ||  B. 


56 


the  encryption  algorithms.  The  corrected  FFl,  FF2,  and  FF3  decryption  algorithms  are 
presented  in  Algorithm  6,  Algorithm  7,  and  Algorithm  8. 


u  charactei’s  v  characters 


C4  <-B4 

Ba  ^  Aa 

i 

t - - 

^ T  4 

Bs  ^  Aa 

C3  <-B4 

n,T,^  - „ 

i.— G 

1 

Cl  <-B3 

Bz  <-A3 

’ 

G 

r 

.i -  n,  T,  2 

y 

Bi  <-A2 

Cl  <-B2 

«,r,i  - 

0 

I 

Ao  <-  Bi 

Bo  C- Ai 

Figure  4.1:  Reversed  Feistel  Structure  of  FPE  for  Decryption.  Modified  from  [10] 


Correctly  decrypted  ciphertext  provided  high  confidence  that  the  implementations 
were  accurate,  as  it  is  highly  unlikely  that  an  error  in  either  the  implemented  encryption 
or  decryption  algorithms  would  lead  to  a  recovered  plaintext.  Figure  4.2  shows  an 
example  of  verification  through  decryption. 
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Algorithm  6  Corrected  FFl.Decrypt(K,T,X). 

Prerequisites: 

Approved,  128-bit  block  cipher,  Cl  PH', 

Key,  K,  for  the  block  cipher; 

Base,  radix,  for  the  character  alphabet; 

Range  of  supported  message  lengths,  [minlen..maxlen]'. 

Maximum  byte  length  for  tweaks,  maxTlen. 

Inputs: 

Numeral  string,  X,  in  base  radix  of  length  n  such  that  n  6  [minlen..maxlen]; 

Tweak  byte  string,  T,  of  byte  length  t,  such  that  t  e  \0..maxTlen\. 

Output: 

Numeral  string,  Y,  such  that  LENiY)  =  n. 

Steps: 

1:  Let  u  =  L^/2J  ',v  =  n  -  u. 

2:  'LQtA=X\\..u\',B  =  X\ru+\..n\. 

3:  Let  b  =  \\vLOG2{radix)'\  /S] ;  J  =  4  r^/4]  -i-  4. 

4;  LetP  =  [ly  II  [2]i  II  [l]i  II  [radix]^  ||  [10]^  ||  [u  mod  256]^  ||  [nf  II  [t]\ 

5;  for  /  9  to  0  do 

6:  Let  C  =  B. 

1:  Let  B  =A. 

8:  Let  <2  =  r  II  \Qf-t-b-modi6  II  y  [NUMra4i.(B)f. 

9:  LetR  =  PRFiPW  Q). 

10:  Let  S  be  the  first  d  bytes  of  the  following  string  of  [2/16]  blocks: 

R  II  CIPHkiR  ©  [1]^^)  II  CIPHkiR  ©  [2]16)  ||  ..  ||  CIPHk(R  ©  [[2/161  -  1]^^). 
11:  Lety  =  NUM2iS). 

12:  If  i  is  even,  let  m  =  u;  Else,  let  m  =  v. 

13:  Let  a  =  (NU MradixiC)  -  y)  mod  radix'". 

14:  LetA  =  5rR-,,». 

15:  end  for 
16:  Return  A  ||  B. 
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Algorithm  7  Corrected  FF2.Decrypt(K,T,X). 

Prerequisites: 

Approved,  128-bit  block  cipher,  Cl  PH', 

Key,  K,  for  the  block  cipher; 

Base,  radix,  for  the  character  alphabet; 

Base,  tweakradix,  for  the  tweak  character  alphabet; 

Range  of  supported  message  lengths,  [minlen..maxlen]'. 

Maximum  supported  tweak  length,  maxTlen. 

Inputs: 

Numeral  string,  X,  in  base  radix  of  length  n  such  that  n  e  [minlen..maxlen]; 

Tweak  numerical  string,  T,  in  base  tweakradix  of  length  t  such  that  t  6  \0..maxTlen\. 

Output: 

Character  string,  Y,  such  that  LEN{Y)  =  n. 

Steps: 

1;  Let  u  =  L^/2J  ',v  =  n  -  u. 

2:  Let  A  =  A[1..m];  B  =  A[m -I- l..n]. 

3:  If  t  >  0,B  =  [radixV  ||  [t]^  ||  [n^  ||  [NUM,„,akradi.(T)y^-, 

ElseP  =  [radixY  ||  [0]^  |i  [n]'  || 

4;  Let  J  =  CIPHk(P). 

5;  for  /  9  to  0  do 

6:  Let  C  =  B. 

1:  Let  B  =  A. 

8:  Q^Vn'WVNUMradi.iBy^. 

9;  Let  Y  ^  CIPHj(Q). 

10:  Let  y  ^  NUMiiY). 

11:  If  i  is  even,  let  m  =  u;  Else,  let  m  =  v. 

12:  Let  a  =  (NU MradixiC)  -  y)  mod  radix'". 

13:  LetA  =  5rB-,,». 

14:  end  for 
15:  Return  A  ||  B. 


59 


Algorithm  8  Corrected  FF3.Decrypt(K,T,X). 

Prerequisites: 

Approved,  128-bit  block  cipher,  Cl  PH', 

Key,  K,  for  the  block  cipher; 

Base,  radix,  for  the  character  alphabet; 

Range  of  supported  message  lengths,  [minlen..maxlen],  such  that  minlen  >  2  and 

maxlen  <  2  logradix{^^^)\- 

Inputs: 

Numeral  string,  X,  in  base  radix  of  length  n  such  that  n  e  [minlen. .maxlen]; 

Tweak  bit  string,  T,  such  that  LEN(T)  =  64. 

Output: 

Numeral  string,  Y,  such  that  LENiY)  =  n. 

Steps: 

1:  Let  u  =  [njl]  ;v  =  n  -  u. 

2:  Ye,iA=X[\..u\;B  =  X[u-\-\..n\. 

3:  Let  Ti  =  r[0..31]  and  Tr  =  r[32..63]; 

4;  for  /  7  to  0  do 

5;  Let  C  =  B. 

6:  Let  B  =  A. 

7;  If  is  even,  let  m  =  m  and  W  =  Tr,  Else  let  m  =  v  and  W  =  Tr. 

8;  Let  P  =  REV{[NUMradix{REV{B))]^^)  ||  IF  ©  REy([z]^). 

9;  Let  Y  =  CIPHk{P). 

10:  Let  y  =  NUM2(REV(Y)). 

11:  Let  a  =  (NU MradixiREV(C))  -  y)  mod  radix'^. 

12:  LetA=REy(5rR-^Ja)). 

13:  end  for 
14:  Return  A  ||  B. 

*Where  REViX)  reverses  the  order  of  characters  in  the  Character  String  X 
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be 

FF3  Ciphertext 
b53820de  3aa319e3 

cfl02a42 

f  e 

Ipecrvpted  Ciphertext 

jdeadbeef  00deadbe 

ef 00dead 

be 

Figure  4.2:  Software  Verifieation  of  FF3  Implementation. 


4.1.2  Fixed  Bytes. 

The  number  and  distribution  of  bytes  aeross  the  message  eonsistently  determines  the 
level  of  entropy  of  the  plaintext.  As  expeeted,  the  entropy  of  the  unenerypted  plaintext 
samples  deereases  as  the  number  of  deterministie  bytes  inereases.  Pilot  experiments 
validate  the  ENT  tool  by  eomparison  of  its  measurements  to  a  theoretieal  ealeulation  of 
entropy.  Aeeording  to  Equation  (3.2),  a  message  eomposed  of  identieal  bytes  has  zero 
entropy.  The  ENT  tool  suoeessfully  measures  a  plaintext  file  eomposed  of  the  same  byte 
repeated  in  4,000  messages  to  have  0  bits/byte  of  entropy.  A  13-byte  message  with  non¬ 
repeating  byte  values  has  a  theoretieal  entropy  of  3.7  bits.  Measurement  with  the  ENT 
tool  of  a  plaintext  file  eomposed  of  4,000  samples  of  the  same  13  fixed  bytes  sequenee 
yields  an  entropy  of  3.547  bits/byte.  Despite  the  laek  of  ehange  from  message  to  message, 
this  entropy  measurement  refleets  the  internal  byte  variation  in  the  message.  Note  that  the 
definition  of  entropy  eontains  a  logarithmie  term. 

Unexpeetedly,  the  entropy  of  plaintexts  with  eonseeutive  deterministie  bytes  at 
the  front  of  the  message  are  not  statistieally  different  from  their  randomly  distributed 
eounterparts,  within  a  95%  Confidenee  Interval  (Cl).  Although  the  deterministie  byte 
sequenee  is  different  for  eaeh  trial,  there  is  low  varianee  in  the  resulting  entropy  as  shown 
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by  the  standard  deviation  data  in  Table  4.1.  The  standard  deviation  increases  as  the  mean 
entropy  decreases  which  implies  that  security  differences  between  the  algorithms  are 
more  defined  with  low  entropy  plaintext. 


Table  4. 1 : 

Fixed  Bytes  Entropy  (bits/byte). 
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The  entropy  of  a  eontrol  message,  eomposed  of  All  Random  bytes,  is  measured  to  be 
7.99633  (bits/byte).  The  random  sequenee  was  extraeted  from  the  Random.org  TRNG 
file  of  2013-09-17.  The  TRNG  sequenee,  eomparable  to  a  pseudo-random  sequenee 
[51],  serves  as  the  baseline  for  evaluation  of  the  seeurity  merits  of  the  FFl,  FF2  and 
FF3  algorithms.  A  eiphertext  with  entropy  equal  to  or  greater  than  that  of  the  random 
sequenee  is  eonsidered  seeure.  Figure  4.3  shows  the  mean  entropy  of  the  plaintext  and 
eiphertexts  of  eaeh  Fixed  Bytes  seenario,  averaged  for  the  20  trials.  The  eiphertext  equals 
or  exeeeds  the  random  sequenee  entropy  threshold  in  all  but  one  seenario. 


% 


u  Plaintext 

■  FF1 
UFF2 

■  FF3 


Number  and  Distribution  of  Fixed  Bytes) 


Figure  4.3:  Mean  Entropy  of  Fixed  Bytes  Seenarios. 


Note  that,  the  eneryption  of  12  fixed  eonseeutive  bytes  in  the  ‘12  Front’  seenario 
eauses  a  mean  eiphertext  entropy  eonsistently  below  the  random  sequenee  threshold 
of  7.99633  (bits/byte).  The  mean  entropy  of  the  ‘12  Front’  eiphertext  is  more  than  two 
standard  deviations  smaller  than  the  baseline  entropy  aeross  all  three  algorithms.  This 
seenario  fails  to  yield  a  seeure  eiphertext.  The  ‘12  Front’  plaintext  has  a  mean  entropy  of 
4.2563  whieh  is  not  statistieally  different  from  that  of  the  ‘12  Random’  plaintext  whieh 
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has  a  mean  entropy  of  4.2562  (bits/byte),  with  95%  confidence.  However,  encryption  of 
the  12  randomly  distributed  bytes  in  ‘12  Random’  scenario  yields  a  secure  ciphertext. 

Additionally,  the  ‘12  Front’  scenario  displays  the  largest  differences  in  the  entropy 
of  the  FFl,  FF2  and  FF3  ciphertext.  Although,  all  three  algorithms  fail  to  yield  secure 
ciphertext  in  the  ‘12  Front’  scenario,  it  is  important  to  investigate  which  algorithm  yields 
the  better  ciphertext. 

4. 1.2.1  Comparison. 

Pairwise  Student’s  t-tests  are  conducted  to  determine  whether  there  exist  statistical 
differences  between  the  three  algorithms.  A  robust  t-test  requires  the  following 
assumptions:  random  sampling  of  population,  population  normality,  independent 
samples,  and  similar  standard  deviations.  The  use  of  the  entirety  of  results  from  the 
20  trials  satisfies  the  random  sampling  requirement.  The  populations  are  determined 
to  be  approximately  normal  and  of  similar  distribution  through  visual  analysis  of  their 
descriptive  statistics  graphed  in  a  boxplot.  Each  trial  uses  independent  deterministic  and 
random  byte  sequences.  Finally,  the  standard  deviations  of  the  ciphertext  are  similar  in 
all  scenarios  as  shown  in  Table  4.1.  Figure  4.4  shows  a  boxplot  of  the  ciphertext  samples 
for  each  algorithm  in  the  worst  case  scenario.  The  ‘12  Front’  scenario  displays  the  lowest 
values  and  the  largest  variances  in  ciphertext  entropy;  however,  the  boxplot  shows  that  the 
populations  have  similar  spreads  and  skewness,  and  few  outliers. 

The  R  Statistical  Computing  tool  is  used  to  calculate  pairwise  Welch  Two  Sample 
t-tests  for  each  scenario.  The  p-values  shown  in  Table  4.2  show  that  within  95% 
confidence,  all  t-tests  fail  to  reject  the  null  hypothesis  that  the  algorithms  do  not  have 
statistically  significant  differences  in  their  security  performance  in  the  Fixed  Bytes 
scenarios.  As  a  result,  the  three  algorithms  are  statistically  the  same  with  regards  to 
security. 
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Figure  4.4:  Boxplot  of  ‘12  Front’  Ciphertext  Populations. 


4.1.3  Fixed  Fields. 

The  random  input  files  were  then  altered  to  model  plausible  ADS-B  messages  by 
limiting  the  data  fields  to  operationally  logical  values.  An  increasing  number  of  fields  is 
held  constant  in  the  ADS-B  message.  The  results  of  the  Fixed  Fields  tests  are  depicted  in 
Table  4.3  and  Figure  4.5.  As  expected,  the  entropy  of  the  plaintext  message  decreases  as 
the  number  of  fields  with  fixed  content  increases. 

In  the  scenarios  with  zero,  one,  or  two  fixed  fields,  the  ciphertext  entropies  are  above 
7.99633  (bits/byte),  the  threshold  of  a  random  sequence.  The  entropy  of  the  ciphertext 
falls  below  the  threshold  when  three  data  fields  are  held  constant.  The  input  entropy  of 
the  scenario  in  which  the  Position,  Altitude  and  Address  ME  fields  are  held  constant  is 
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Table  4.2:  Pairwise  t-Tests  for  Fixed  Bytes  (p-value). 


Scenario 

FF1-FF2 

FF1-FF3 

FF2-FF3 

3  Front 

0.1248 

0.6528 

0.3504 

3  Random 

0.6872 

0.6505 

0.9564 

6  Front 

0.9267 

0.4835 

0.3294 

6  Random 

0.8759 

0.1346 

0.1251 

9  Front 

0.794 

0.1588 

0.0513 

9  Random 

0.1033 

0.6022 

0.2593 

12  Front 

0.1889 

0.989 

0.2272 

12  Random 

0.6738 

0.2616 

0.078 

5.55  (bits/byte).  Although  these  data  fields  are  only  6  bytes  long,  their  nearly  eonseeutive 
emplaeement  in  the  strueture  of  the  ADS-B  message,  and  the  restrieted  range  of  their 
values,  eauses  a  failure  in  the  entropie  seeurity  of  the  FPE  algorithms.  The  entropy  values 
deerease  further  when  four  fields  are  held  eonstant.  In  the  eases  of  three  and  four  fixed 
fields,  the  message  spaee  is  redueed  to  and  2^  permutations  sinee  only  10  or  5  bits  of 
the  ME  subfield  are  randomized,  respeetively. 

4. 1.3.1  Comparison. 

Given  the  differenees  between  the  entropies  of  the  eiphertexts,  pairwise  two-tailed 
t- tests  are  used  to  evaluate  the  differenees  in  seeurity  of  the  three  algorithms.  The  t-test 
assumptions  of  population  normality,  independenee  of  samples,  and  similar  varianees  are 
satisfied.  The  R  Statistieal  Computing  tool  is  used  to  perform  Weleh  Two  Sample  t-tests. 
Results  are  shown  in  Table  4.4.  The  p-values  suggest  that  there  is  no  statistieal  differenee 
between  the  three  algorithms  in  the  Eixed  Eields  seenarios,  within  95%  CL 
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Table  4.3:  Fixed  Fields  Entropy  (bits/byte). 
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IFF2 
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Figure  4.5:  Mean  Entropy  of  Fixed  Fields  Scenarios. 


Table  4.4:  Pairwise  t-Tests  for  Fixed  Fields  (p-value). 


Fixed  Fields 

FF1-FF2 

FF1-FF3 

FF2-FF3 

None 

0.0985 

0.6261 

0.2374 

Position 

0.7978 

0.906 

0.8921 

Pos  &  Altitude 

0.9063 

0.0763 

0.1154 

Pos  &  Alt  &  Address 

0.5665 

0.213 

0.464 

Pos  &  Alt  &  Addr  &  Type  Code 

0.9657 

0.8956 

0.9181 

4.1.4  Radar  Track. 

ADS-B  messages  were  generated  for  a  Radar  observed  aircraft  traveling  from 
California  to  Nebraska.  The  aircraft  in  question  takes  off  from  the  Californian  coast, 
climbs  to  an  altitude  of  35,000  ft  and  maintains  approximately  the  same  course  heading 
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all  the  way  to  Nebraska.  This  flight  represents  one  of  the  worst  ease  seenarios  for 
eneryption  in  the  ADS-B  environment,  in  whieh  several  data  fields  are  nearly  eonstant 
from  one  message  to  the  next.  Table  4.5  and  Figure  4.6  show  the  results  of  the  entropy 
measurements.  This  traek  is  found  to  have  an  aggregate  entropy  of  6.51  bits/by te  whieh  is 
elosest  to  the  entropy  of  a  simulated  ADS-B  message  with  two  fixed  fields. 


Table  4.5:  Entropy  of  Radar  Traek. 


Plaintext 

FFl 

FF2 

FF3 

WADS  Radar  Track  6.5 1 3979 

7.9983 

7.9986 

7.9984 

■  WADS  Radar  Track 


WADS  Radar  Track 


Figure  4.6:  Entropy  of  Radar  Traek. 


4. 1.4.1  Comparison. 

Eneryption  of  the  radar  traek  yields  eiphertexts  with  entropy  well  above  the  random 
sequenee  threshold  of  7.99633  (bits/byte)  for  all  three  algorithms.  In  the  Radar  Traek 
experiment,  the  FF2  algorithm  produees  the  eiphertext  with  the  highest  entropy.  For  this 


69 


particular  set  of  ADS-B  messages,  the  FF3  algorithm  has  the  second  highest  entropic 
seeurity  among  the  three  algorithms.  Note,  however,  that  there  are  not  enough  data  points 
to  make  generalizable  inferences. 

4.1.5  Assessment. 

The  FFl,  FF2,  and  FF3  algorithms  seeurely  encrypt  the  majority  of  plaintext  treated 
in  the  three  sets  of  experiments.  In  the  Fixed  Bytes  experiments,  the  algorithms  only  fail 
to  seeurely  encrypt  plaintext  with  12  consecutive  deterministic  bytes  at  the  front  of  the 
message.  However,  the  algorithms  successfully  encrypt  plaintext  with  lower  entropy 
but  with  a  random  distribution  of  deterministic  data.  In  the  Fixed  Fields  experiments, 
the  algorithms  begin  to  fail  when  three  conseeutive  data  fields  are  held  eonstant.  The 
Radar  Track  experiment  reproduces  a  real  flight  seenario.  The  algorithms  suceessfully 
encrypt  the  ADS-B  Out  traffic  extracted  from  the  WADS  Radar  Track.  The  entropy  of  the 
encrypted  Radar  Track  messages  are  higher  than  all  other  seenarios. 

The  entropy  analysis  demonstrates  no  statistically  significant  differences  in  the 
security  of  the  FFl,  FF2  and  FF3  algorithms.  This  eonclusion  is  supported  by  tests 
performed  on  a  total  of  1,128,866  unique  ADS-B  messages  from  a  modeled  dataset 
generated  for  the  Fixed  Bytes  experiments,  to  a  simulated  dataset  generated  for  the  Fixed 
Fields  experiments,  and  an  operational  dataset  measured  from  a  real  transiting  aircraft. 

4.2  Performance  Results 

The  FFl,  FF2,  and  FF3  algorithms  are  implemented  in  VHDL  and  synthesized  on 
a  Xilinx  Virtex-6.  The  prevalence  of  the  VHDL  hardware  description  language  in  US 
Government  research  motivated  its  use  in  this  study.  Note  that  other  hardware  deseription 
languges  may  be  used  to  implement  the  FPE  algorithms.  The  performance  results 
discussed  in  the  following  seetions  indicate  that  the  underlying  AES  core  is  the  prineipal 
factor  in  the  latency  and  resource  utilization  of  the  algorithms. 
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4.2.1  Verification  of  Hardware  Implementation  . 

The  underlying  AES  bloek  is  verified  in  a  behavioral  simulation  with  sample  key 
and  plaintext  from  the  NIST’s  Known- Answer  Test  [43].  Figure  4.7  shows  a  sereenshot 
of  the  behavioral  verifieation  of  the  AES  eore  used  to  implement  the  FFl,  FF2,  and  FF3 
algorithms.  The  eore  produees  a  eiphertext  that  matehes  the  test  veetor. 


Name 

■  ^  Lclk 


_p_text_rdy 
_e_key_rdy 
p text[15:0] 
e key[15:0] 


►  ^  Lp_text[15:0]  [C 

►  ^  Le_key[15:0]  [C 

►  m  0  cipher_text[15:ol  [f 

o_cipher_rdy  I  l 

Ifl  Lclk_period  I  ic 


bb^cc^dd^ee^ff] 


[00,01,02, 03,0^0.5,06, 07,08, 09,0i0b,0c,0d,0e,0f] 


Figure  4.7:  Behavioral  Verifieation  of  AES  eore. 


The  FFl,  FF2,  and  FF3  implementations  are  verified  in  a  similar  fashion  by 
eomparison  to  known  plaintext  and  eiphertext  pairs  produeed  by  the  software 
implementation.  Figure  4.8  shows  as  example,  the  verfieiation  of  the  FF3  hardware 
implementation.  Correetness  is  assessed  by  eomparison  to  the  software  verifieation  (see 
Figure  4.2).  The  three  algorithms  are  eorreetly  implemented. 

4.2.2  Resource  Utilization. 

The  Iterative  Fooping  arehiteeture  employed  in  the  design  minimizes  the  hardware 
resourees  needed  for  eaeh  algorithm.  Only  one  instanee  of  a  round  is  implemented 
for  eaeh  algorithm.  A  loop  eounter  is  used  to  iterate  through  the  appropriate  number 
of  rounds  for  eaeh  algorithm.  All  other  subfunetions  are  realized  with  dedieated 


71 


Name 

H  i_clk 


►  ^  i_plain_textlP:103]  I  de 

i_plain_rdy  0 

►  ^  Lkey[15:0]  [2 

►  ^  i_tweak[7:0]  I  Be 

►  m  o_cipher_te)(t[0:103]l  b5 

o_cipher_rdy  0 

m  i_clk_period  10 


Figure  4.8:  Behavioral  Verifieation  of  FF3  Implementation. 


eomponents.  Inside  the  round  funetion,  eaeh  eall  to  AES  is  implemented  on  a  dedieated 
eore  in  order  to  avoid  eomplexity  in  the  data  flow  eontrol  meehanism. 

The  AES  eore  employed  in  these  designs  oeeupies  1,864  Sliees  on  the  Virtex-6 
(XC6VLX240T)  FPGA  deviee.  Sueh  an  implementation  is  eomparable  in  size  to  reeently 
published  implementations  [7].  Table  4.6  shows  the  results  of  the  deviee  utilization 
analysis.  The  size  of  the  AES  eore  is  the  prineipal  faetor  in  determining  the  area  of 
the  EPE  implementations.  As  expeeted,  the  number  of  resourees  required  inereases 
proportionally  to  the  number  of  AES  components  in  each  design.  The  exact  number  of 
slices,  registers,  EUTs,  and  RAM  blocks  is  determined  by  the  default  Xilinx  ISE  14.6 
suite’s  XST  synthesis  optimization  process.  No  36Kb  blocks  of  RAM  were  used  during 
synthesis. 

Unexpectedly,  the  EE3  implementation  consumes  less  EPGA  resources  than  the  AES 
core.  The  AES  core  as  benchmarked,  includes  a  packet  control  mechanism  that  registers 
input  and  output  (I/O)  signals  connected  to  the  core.  The  AES  packet  controller  is  not 
needed  for  integration  into  EEl,  EE2,  and  EE3.  Its  function  is  performed  by  the  shift 
register  that  is  used  to  synchronize  the  cascaded  AES  blocks  inside  the  EPE  Round  block. 
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Table  4.6:  Resource  Utilization  of  AES  and  FPE  Algorithms. 


Algorithm 

AES 

FFl 

FF2 

FF3 

Number  of  occupied  Slices 

1,864 

3,850 

3,728 

1,820 

Number  of  Slice  Registers 

5,801 

11,285 

11,323 

5,592 

Number  of  Slice  LUTs 

3,452 

7,426 

6,825 

3,587 

Number  of  18K  block  RAM 

172 

343 

342 

170 

The  synchronization  logic  used  inside  the  FFl,  FF2,  and  FF3  designs  is  more  hardware 
efficient  than  the  AES  packet  control  mechanism. 

4.2.2. 1  Comparison. 

The  FFl  implementation  requires  the  most  FPGA  resources.  The  FFl  algorithm  uses 
two  instances  of  AES  per  round  which  causes  the  area  or  number  of  slices  required,  to 
be  approximately  twice  that  of  one  AES  core.  FF2  uses  only  once  instance  of  AES  in  its 
round  design,  but  requires  an  additional  AES  block  to  generate  its  subkey.  As  such,  FFl 
and  FF2  consume  approximately  twice  as  many  device  resources  as  the  AES  core.  FF3 
has  the  smallest  footprint  of  the  three  algorithms  as  it  requires  only  one  AES  core  in  its 
FPE  Round  block. 

4.2.3  Operational  Latency. 

The  post-place  and  route  (post-PAR)  static  timing  report  in  Xilinx  ISE  14.6  provides 
a  comprehensive  summary  of  timing  delay  information.  Table  4.7  shows  the  results  of 
timing  analysis  and  operational  latency  measurements  for  each  algorithm.  The  maximum 
frequency  tolerable  for  each  design  is  derived  from  the  worst  path  delay  found  during 
routing.  According  to  the  Place  and  Route  report,  the  round  control  mechanism  is  the 
source  of  the  maximum  delay  in  each  design.  The  number  of  clock  cycles  per  round  of 
FPE  and  the  number  of  clock  cycles  required  for  a  complete  encryption  cycle  are  obtained 
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through  behavioral  simulation.  The  minimum  latency  for  a  complete  encryption  cycle 
is  calculated  for  each  algorithm  by  dividing  the  number  of  clock  cycles  required  per 
encryption  by  the  maximum  frequency. 


Table  4.7:  Latency  of  AES  and  FPE  Algorithms. 


Algorithm 

AES 

FFl 

FF2 

FF3 

Maximum  Frequency  (MHz) 

SS6.S15 

279.587 

284.592 

28S.427 

Clock  Cycles  per  Round 

S 

68 

SS 

S2 

Clock  Cycles  per  Encryption 

SI 

707 

S74 

269 

Minimum  Latency  (ms) 

0.092175 

2.528729 

1.S14162 

0.949098 

4.2.3. 1  Comparison. 

The  FFl  algorithm  makes  two  calls  to  AES  every  round  which  causes  it  to  have  the 
highest  latency  of  the  three  algorithms.  EEl  takes  68  clock  cycles  per  round,  and  707 
clock  cycles  in  total  to  initialize  the  encryption  parameters  and  complete  ten  rounds  of 
encryption.  EE2  has  a  lower  latency  than  EEl  because  of  a  single  call  to  AES  in  the  E- 
block  of  the  Eeistel  structure  versus  two  in  EEl.  As  such,  EE2  takes  approximately  half 
as  many  clock  cycles  per  round  and  per  encryption,  as  EEl.  EES  has  the  lowest  latency  of 
the  three  algorithms  because  it  uses  only  eight  rounds  compared  to  ten  for  EEl  and  EE2. 
The  computed  minimum  latencies  are  proportional  to  the  operational  latencies  because 
the  three  algorithms  have  similar  maximum  frequencies.  The  latency  of  an  operational 
system  will  depend  on  the  system  clock  frequency  and  CMOS  technology. 

4.2.4  Assessment. 

The  resource  utilization  of  the  underlying  AES  core  is  the  biggest  factor  in  the 
resource  utilization  of  the  EPE  algorithms.  EES  consumes  the  least  number  of  EPGA 
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slices,  and  has  the  lowest  operational  latency  of  the  three  algorithms.  However,  the 
computed  latencies  of  the  FFl,  FF2,  and  FF3  hardware  implementations  exceed  the  DO- 
260B  [55]  Standard’s  maximum  of  100ms  for  ADS-B  equipment. 

4.3  Summary 

The  FFl,  FF2,  and  FF3  algorithms  securely  encrypt  the  majority  of  plaintext  treated 
in  the  three  sets  of  entropy  experiments.  The  entropy  after  encryption  of  the  ADS-B 
messages  extracted  from  the  WADS  Radar  Track  are  higher  than  that  of  the  artificial 
messages  tested  in  the  Fixed  Bytes  and  Fixed  Fields  experimental  scenarios.  Statistical 
analysis  reveals  no  significant  differences  in  the  security  of  FFl,  FF2  and  FF3.  When 
implemented  in  hardware,  the  use  of  the  underlying  block  cipher  by  each  algorithm 
is  the  most  significant  factor  in  the  performance  of  the  FPGA  implementations.  The 
FF3  algorithm  has  the  lowest  latency  of  the  three  because  it  uses  only  eight  rounds 
of  encryption,  and  makes  the  fewest  calls  to  AES  per  round.  FF2  has  slightly  higher 
latency  than  FF3,  and  FFl  requires  the  most  clock  cycles  per  encryption.  However,  all 
three  algorithms  benefit  from  operational  latencies  that  are  lower  than  the  DO-260B 
requirement  for  ADS-B  equipment. 
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V.  Conclusions  and  Future  Work 


This  chapter  summarizes  the  results  of  the  research  effort  and  provides  suggestions 
for  future  work.  The  goal  of  this  research  was  to  determine  the  suitability  of  the 
FFl,  FF2,  and  FF3  algorithms  for  encryption  of  ADS-B  messages,  and  the  feasibility  of  a 
BITW  FPE  cryptographic  engine. 

5.1  Research  Summary 

The  NAS  is  due  for  a  major  upgrade  to  the  NextGen  Air  Transportation  System, 
which  includes  an  evolution  from  Radar-based  surveillange  to  satellite-based  surveillance. 
NextGen  furthers  the  evolution  of  the  ATC  system  towards  Free  Flight,  and  brings  several 
needed  improvements  to  the  GA  and  commercial  aviation  sectors.  The  military  has 
identified  multiple  operational  benefits  of  ADS-B,  but  is  limited  by  unresolved  security 
gaps. 

The  availability  of  stand-alone  ADS-B  receivers  for  aerial  enthusiasts,  researchers, 
and  anonymous  users  poses  an  OPSEC  risk  to  DoD,  Department  of  Homeland  Security 
(DHS),  and  law  enforcement  aircraft.  A  malicious  user  with  an  inexpensive  ADS-B  In 
receiver  can  possibly  track  the  precise  latitude,  longitude  and  altitude  of  Air  Eorce  One  or 
other  aircraft  carrying  political  dignitaries.  Eurthermore,  researchers  have  demonstrated 
the  ease  with  which  ADS-B  messages  can  be  spoofed  and  false  traffic  injected  into  the 
ADS-B  domain.  As  such,  the  DoD  has  asked  for  the  development  of  encryption  and 
jam/spoof  proofing  mechanisms  for  ADS-B  to  improve  COMSEC  and  mitigate  the 
OPSEC  risks. 

The  U.S.  Navy  and  Coast  Guard  use  the  AES  and  Blowfish  algorithms  to  encrypt 
the  AIS,  their  homologous  vessel  tracking  system.  However,  the  non-standard  format  of 
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ADS-B  messages  and  the  legaey  eommunieation  ehannels  used  by  its  transponders  make 
it  ineompatible  with  traditional  bloek  eiphers. 

One  approaeh  for  seeuring  ADS-B  eommunieation,  is  to  adapt  the  messages  for 
use  within  the  existing  military  IFF  system.  However,  the  eurrent  IFF  systems  laek 
the  preeision-traeking  framework  needed  to  maintain  the  aeeuraey  of  ADS-B.  A  more 
desirable  solution  would  use  FPE  to  direely  enerypt  the  ADS-B  message. 

The  proposed  solution  for  seeuring  ADS-B  is  to  retrofit  eneryption  to  legaey 
transponders  by  adding  a  BITW  FPE  eryptographie  module  to  seeure  ADS-B 
eommunieations.  The  goal  of  this  researeh  was  to  determine  the  suitability  of  the  EEl, 
EE2,  and  EES  EPE  algorithms  reeommended  by  the  NIST,  for  eneryption  of  ADS-B 
messages  with  regards  to  seeurity  and  performanee. 

The  first  objeetive  of  the  researeh  effort  was  to  evaluate  the  seeurity  eharaeteristies 
of  eaeh  algorithm  using  a  representative  dataset.  The  algorithms  were  tested  with  a  model 
dataset  eomposed  of  ineremental  numbers  of  deterministie  bytes  in  the  Eixed  Bytes  test, 
a  simulated  ADS-B  message  dataset  in  the  Eixed  Eields  test,  and  an  operational  dataset 
extraeted  from  an  observed  Radar  traek.  Entropy  results  in  all  three  sets  of  experiments, 
demonstrate  that  there  are  no  statistieal  differenees  in  the  seeurity  of  the  EEl,  EE2  and 
EES  algorithms. 

The  seeond  objeetive  of  the  researeh  was  to  evaluate  the  hardware  performanee 
of  the  three  algorithms  by  measuring  operational  lateney  and  resouree  utilization  of  an 
EPGA  implementation.  The  EES  algorithm  proved  to  have  the  lowest  area  and  lateney, 
due  to  its  small  number  of  eneryption  rounds  and  spare  use  of  AES  in  the  Eeistel  round. 
The  eharaeteristies  of  the  underlying  bloek  eipher  used  in  the  implementation  of  the  EPE 
algorithms  are  the  prineipal  faetors  in  determining  the  resouree  utilization  and  lateney  of 
the  hardware  implementation. 
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The  results  of  this  research  suggest  that  FPE  is  a  suitable  encryption  scheme  for 
encrypting  ADS-B  communications.  The  algorithms  are  able  to  obfuscate  repeated  data  in 
plaintext,  and  output  ciphertext  with  high  entropic  security.  The  reliance  of  the  algorithms 
on  AES  make  them  easily  implementable  on  a  wide  range  of  platforms,  including 
avionics  hardware.  The  computed  latencies  of  the  EEl,  EE2,  and  EES  EPGA  designs 
exceed  the  requirements  of  DO-260B  “Minimum  Operational  Performance  Standards  for 
1090  MHz  Extended  Squitter  Automatic  Dependent  Surveillance  -  Broadcast  (ADS-B) 
and  Traffic  Information  Services  -  Broadcast  (TIS-B).” 

5.2  Impact 

The  use  of  EPE  to  encrypt  ADS-B  messages  provides  Confidentiality  to  the  system. 

It  prevents  the  disclosure  of  aircraft  information  to  unauthorized  parties  during  sensitive 
military  or  law  enforcement  operations.  The  U.S.  military  can  explore  the  solution  as  a 
viable  option  for  complying  with  the  2020  congressional  mandate  for  ADS-B  equipage, 
while  maintaining  OPSEC. 

The  Air  Eorce  can  take  advantage  of  the  benefits  to  the  transition  to  NextGen  and 
ADS-B  it  identified  in  2001,  without  sacrificing  security.  Secure  ADS-B  could  enhance 
safety  and  mission  capabilities  in  Air  Refueling  (AR),  Eormation  Elying,  Rendezvous, 
Eighter  Intercept,  Air  Combat  Maneuvering  Instrumentation  (ACMI)  missions,  and 
precision  Airdrop. 

Military  aircraft  manufacturers,  such  as  General  Atomics-Aeronautic  Systems  Inc 
and  BAE  Systems,  testing  ADS-B  technology  for  use  within  Airborne  Sense-And- Avoid 
architecture  (ABSAA),  can  leverage  findings  from  this  research  to  assure  the  security  of 
these  safety  critical  systems.  A  malicious  user  could  potentially  derail  the  trajectory  of 
autonomous  swarms  of  UAVs  or  disrupt  their  formation  flight  by  projecting  false  traffic 
with  spoofed  ADS-B  messages.  By  using  EPE,  precision  formation  flight  can  rely  on 
encrypted  ADS-B  messages  private  to  the  formation. 
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During  the  course  of  this  research,  errors  were  discovered  in  the  FPE  decryption 
algorithms  published  in  Draft  SP800-38G  [10].  The  decryption  algorithms  did  not 
properly  reverse  the  Feistel  structure  of  FPE.  The  error  report  was  submitted  to  NIST 
along  with  corrected  decryption  algorithms.  Morris  Dworkin,  author  of  SP800-38G, 
approved  the  suggested  corrections  [9]. 

5.3  Recommendations  for  Future  Work 

The  initial  findings  of  this  research  indicate  that  FFl,  FF2,  and  FF3  may  be  used  to 
encrypt  ADS-B  with  high  security  and  low  resource  cost.  Although  the  three  algorithms 
have  the  same  entropic  security,  FF3  requires  the  least  amount  of  hardware  resources  and 
demonstrates  the  lowest  operational  latency.  The  research  proposes  the  use  of  a  BITW 
FPE  cryptographic  engine  to  retrofit  encryption  to  legacy  ADS-B  transponders.  Further 
investigation  is  necessary  before  the  development  and  deployment  of  such  a  system  can 
be  realized. 

5.3.1  Characterization  of  ADS-B  Entropy. 

This  research  effort  experimented  with  a  Radar  track  obtained  from  WADS  of  an 
aircraft  travelling  from  California  to  Nebraska.  The  entropy  of  the  unencrypted  messages 
was  measured  to  be  6.51  (bits/byte).  The  steady  trajectory  and  altitude  represented  one  of 
the  expected  worst  plaintext  cases  for  encryption.  However,  the  subsequent  encryption  of 
the  messages  with  the  FFl,  FF2  and  FF3  algorithms,  yielded  ciphertext  with  the  highest 
entropies  measured  in  the  research.  One  area  of  interest  is  the  characterization  of  the 
entropy  of  ADS-B  messages  for  various  flight  trajectories  and  aircraft  status.  The  study 
would  systematically  evaluate  the  effect  of  various  combinations  of  constant  ME  subfields 
on  the  entropy  of  the  FFl,  FF2  and  FF3  ciphertexts. 

5.3.2  Key  Management. 

FPEs  are  symmetric  encryption  algorithm,  which  means  that  the  key  must  be 
distributed  offline  or  through  another  secure  protocol.  This  research  did  not  consider 
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the  challenge  of  key  distribution  in  its  evaluation.  Further  study  is  necessary  to  devise  a 
suitable  key  distribution  scheme.  One  may  look  at  W-AIS  for  inspiration  or  extend  the 
existing  key  distribution  scheme  used  for  military  IFF  transponders. 

5.3.3  NSA  Approval  ofFPE. 

The  NSA  categorizes  encryption  items  into  four  product  types  [29].  IFF 
transponders  use  a  Type- 1  algorithm  approved  by  the  NSA.  A  Type-1  Product  refers  to  an 
NSA  endorsed  classified  or  controlled  cryptographic  item  for  classified  or  sensitive  U.S. 
government  information  when  appropriately  keyed.  AES  with  a  256-bit  key  is  rated  as  a 
Type-1  Product.  A  Type-2  Product  refers  to  an  NSA  endorsed  unclassified  cryptographic 
equipment  for  sensitive  but  unclassified  U.S  government  information.  A  Type-3  Product 
refers  to  NIST  endorsed  algorithms,  registered  and  FIPS  published,  for  sensitive  but 
unclassified  U.S.  goverment  and  commercial  information.  A  Type-4  Product  refers  to 
algorithms  that  are  registered  by  the  NIST  but  are  not  FIPS  published.  FFl,  FF2,  and  FF3 
currently  qualify  as  Type-4  Products.  The  reclassification  of  FFl,  FF2  and  FF3  as  Type-1 
or  the  development  of  a  Type- 1  FPE  algorithm  would  facilitate  adoption  by  the  DoD  and 
DHS  community. 

5.3.4  Channel  Interference. 

While  in  encrypted  mode,  a  W-AIS  transponder  can  still  receive  all  unencrypted 
transmission  from  commercial  AIS  equipped  ships  within  range  [46] .  This  allows 
military  vessels  to  communicate  with  their  trusted  networks,  while  maintaining  situational 
awareness  of  other  ships  in  the  vicinity.  The  impact  of  injecting  encrypted  messages  into 
the  ADS-B  domain  must  be  quantitatively  evaluated. 

In  the  W-AIS  system,  encrypted  content  is  transmitted  in  a  time  slot  designated  for 
its  specific  message  format.  ADS-B  does  not  currently  use  TDMA  or  any  other  channel 
multiplexing  technique.  The  ICAO  is  conducting  research  [I]  on  phase  modulation  of 
the  1090  MHz  ES  channel  to  increase  data  capacity  without  adding  interference.  This 
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multiplexing  technique  may  enable  military  and  law  enforcement  aircraft  to  transmit 
encrypted  ADS-B  messages  on  a  reserved  portion  of  the  channel. 

5.3.5  Prototype  Transponder  with  Cryptographic  Engine. 

This  research  proposed  a  BITW  FPE  cryptographic  engine.  A  detailed  systems 
engineering  study  is  necessary  to  evaluate  the  integration  of  such  a  cryptographic  engine 
into  existing  ADS-B  transponders.  The  algorithms  are  demonstrated  to  have  lower  latency 
than  the  maximum  indicated  by  DO-260B  [55]  for  ADS-B  equipment.  However,  it  is  not 
possible  to  evaluate  the  impact  of  the  latency  of  the  cryptographic  engine  on  that  of  the 
overall  transponder  without  detailed  specifications  on  commercial  ADS-B  transponders. 
These  component  level  system  specifications  are  regarded  as  proprietary  information  by 
avionics  manufacturers. 

A  prototype  Secure  ADS-B  transponder  built  with  a  DIY  kit  such  as  Gunter 
Kdllner’s  Mode  S  Beast  [34],  can  help  estimate  the  overall  latency  of  an  ADS-B 
transponder  with  an  add-on  FPE  cryptographic  engine.  Such  a  prototype,  will  best 
ressemble  a  production  transponder  by  adhering  to  the  DO-254  [53]  Standard  “Design 
Assurance  Guidance  For  Airborne  Electronic  Hardware.” 

5.3. 6  Standardization  of  Secure  ADS-B. 

The  first  edition  of  the  NATO  STANAG  for  W-AIS  was  released  in  2007,  three  years 
after  the  IMO  mandate  to  fit  AIS  on  all  international  voyaging  ships.  The  W-AIS  is  based 
on  existing  AIS  transponder  specificiations  defined  in  ITU-R  M.I37I  [30]  with  add-on 
encryption  units,  in  order  to  reduce  acquisition  costs.  A  standard  for  Secure  ADS-B  based 
on  DO-260B  [55]  with  add-on  FPE  encryption  units  would  significantly  expedite  the 
acquisition  process  and  reduce  costs  to  the  taxpayer. 

5.4  Conclusions 

The  FFl,  FF2  and  FF3  FPE  algorithms  adequately  secure  ADS-B  communications. 
Although  the  three  algorithms  have  statistically  identical  security,  the  FF3  algorithm 
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stands  out  as  the  most  efficient  in  hardware.  A  BITW  cryptographic  module  employing 
FF3  or  any  of  the  other  FPE  algorithms  may  be  used  to  retrofit  encryption  to  legacy 
ADS-B  equipment. 
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